NSR Log 出现“Hash Payload is incorrect”解决方法

        故障现象如下：客户配置拨号VPN（Only IKE）无法连接到Netscreen Gateway（Juniper NetScreen ISG-1000），查看到NetScreen-Remote Log Viewer中日志：
Initiating IKE Phase 1 (IP ADDR=1.1.1.1)
SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID)
RECEIVED<<< ISAKMP OAK AG (SA, VID, VID, VID, KE, NON, ID, HASH, VID, NAT-D, NAT-D)
Peer is NAT-T capable
NAT is detected for Client
Hash Payload is incorrect   #Hash 有效载荷错误My Connections\IKEUSER - SENDING>>>> ISAKMP OAK INFO (HASH, NOTIFY:INVALID_HASH_INFO)
My Connections\IKEUSER - Discarding IKE SA negotiation
   MY COOKIE b6 23 af 2d f5 20 5c c1
   HIS COOKIE eb 88 ee b9 87 b9 5d 72
RECEIVED<<< ISAKMP OAK AG (SA, VID, VID, VID, KE, NON, ID, HASH, VID, NAT-D, NAT-D)
Received message for non-active SA   #从非活动SA收到信息
Juniper NetScreen ISG-1000上查看到相关日志：
system info  00536 Rejected an IKE packet on ethernet1/1
                   from 121.201.217.55:500 to
                   1.1.1.1:500 with cookies
                   6e341f52b69875ab and 6130c3fe4410810e
                   because the peer sent a packet with a
                 message ID before Phase 1
                 authentication was done.    #...第一阶段认证未完成system info  00536 IKE<121.201.217.55> Phase 1: Responder
                   starts AGGRESSIVE mode negotiations.
表示NetScreen-Remote Client和NetScreen Gateway端的Preshare-key不匹配。
查看NetScreen Gateway端相应的ike gateway信息：
netscreen_isg1000-> get ike gateway ike_gateway
 Id  Name            Gateway Address Gateway ID      Mode Proposals
---- --------------- --------------- --------------- ---- ---------
   1 ike_gateway     ikeusergroup                    Aggr pre-g1-des-md5
Preshared Key: <***> Seed   #表示共享密匙启用了Seed（种子）use count<0>, single-ike_tunnel<0>, status Enabled
user id<-1>, dial up id<6>
IP version 4
slot number<0>.
outgoing interface:
interface name = ethernet1/1, ip = 1.1.1.1, vsys = Root.
local-id type<2> value<DIALVPN>
peer-id empty.
peer-container-id empty.
IPsec NAT-Traversal: enabled.
  keepalive frequency: 5 seconds.
  UDP checksum: enabled.
  local ike udp port 500.
  peer ike udp port 500.
peer identity list:
  0: NOT IAS
IAS ID 2f05c738
(0f) group <6> user <-1>
    Phase 1 SA:
    Phase 2 SA:session timeout: 0
Preferred Local Cert
--------------------
local cert not configured.
Preferred Peer Cert
-------------------
peer ca cert not configured.
Peer Cert Type
--------------
Preferred cert type: X509-SIG
Heartbeat Hello: 0(sec), Threshold: 5(times), Reconnect: 0(sec)
----------- XAUTH Config -------------
XAUTH disabled.
经询问客户，是在NetScreen-Remote Client上直接输入原始的Pre-share key，因为NetScreen Gateway端Pre-share key已启用seed，所以必须通过以下方法获得共享密匙：
netscreen_isg1000-> exec ike preshare-gen ike_gateway aikeuser  #蓝色为网关名称，粉红色为用户名
preshared key for user <aikeuser> in peer <ike_gateway>:
<d91f418679 1afd720f0e 26d49623a7 7cb540bf46>   #红色部分为共享密匙
Note: Spaces are for readability only.
把d91f418679 1afd720f0e 26d49623a7 7cb540bf46去掉空格后直接复制到NetScreen-Remote中按OK即可：