IPSec problem RRAS to Watchguard

[Max Metral]

I'm having a problem with an IPSec tunnel between a Windows 2k3 box running
RRAS and a Watchguard Firebox. Main mode negotiation seems to work fine.
But during quick mode we see this error:

2-27: 18:04:16:359:6c0 ProcessFailure: sa:05F2EC98 centry:00000000
status:360d
2-27: 18:04:16:359:6c0 unable to process info-only exchange
2-27: 18:04:17:578:b10 retransmit: sa = 05F2EC98 centry 06036CE8 , count =
1
2-27: 18:04:17:578:b10
2-27: 18:04:17:578:b10 Sending: SA = 0x05F2EC98 to 193.131.10.2:Type 2.500
2-27: 18:04:17:578:b10 ISAKMP Header: (V1.0), len = 1116
2-27: 18:04:17:578:b10 I-COOKIE f51ef2e863da6abd
2-27: 18:04:17:578:b10 R-COOKIE 97d8c67d9a01ce11
2-27: 18:04:17:578:b10 exchange: Oakley Quick Mode
2-27: 18:04:17:578:b10 flags: 1 ( encrypted )
2-27: 18:04:17:578:b10 next payload: HASH
2-27: 18:04:17:578:b10 message ID: c5200577
2-27: 18:04:17:578:b10 Ports S:f401 D:f401
2-27: 18:04:17:703:6c0
2-27: 18:04:17:703:6c0 Receive: (get) SA = 0x05f2ec98 from 193.131.10.2.500
2-27: 18:04:17:703:6c0 ISAKMP Header: (V1.0), len = 84
2-27: 18:04:17:703:6c0 I-COOKIE f51ef2e863da6abd
2-27: 18:04:17:703:6c0 R-COOKIE 97d8c67d9a01ce11
2-27: 18:04:17:703:6c0 exchange: ISAKMP Informational Exchange
2-27: 18:04:17:703:6c0 flags: 1 ( encrypted )
2-27: 18:04:17:703:6c0 next payload: HASH
2-27: 18:04:17:703:6c0 message ID: 81f795e3
2-27: 18:04:17:703:6c0 processing HASH (Notify/Delete)
2-27: 18:04:17:703:6c0 Bad N/D Hash
2-27: 18:04:17:703:6c0 ProcessFailure: sa:05F2EC98 centry:00000000
status:360d
2-27: 18:04:17:703:6c0 unable to process info-only exchange

 

[Kadirvel C Vanniarajan [MSFT]]

Do you have the rest of the Oakley log?

It's hard to tell from the snippet below. It might be that the peer is not
accepting the QM offers, and fails. It constructs a notify (incorrectly),
and we can't process it.