# debugging discv5 handshake I have been tracking down an authentication failure from a number of different client settings and network configurations at this point but can isolate the issue to the setup below. To demonstrate the problem, I try to PING a peer and it responds with a WHOAREYOU packet. I answer the challenge and nothing comes back. If we check the logs of the remote peer then we see: ``` "can't decrypt auth response header: cipher: message authentication failed" ``` ## steps to reproduce For example, let's try peering two instances of the bootnode here: https://github.com/protolambda/eth2-bootnode. There is an existing bootnode running in a docker container with the following configuration (as args to the server binary): ``` "--color=false", "--enr-ip=34.234.193.238", "--enr-udp=9000", "--fork-version=0x01fafafa", "--level=debug", "--listen-ip=0.0.0.0", "--listen-udp=9000", "--node-db=/data/localnode.db", "--priv=7592dd8c7f3a5d715d3726289414ffc6dca3f1dffa8b63a805ce2c74170a2c49" ``` This bootnode serves as an entrypoint to the discv5 DHT for a dev testnet and otherwise is successfully maintaining peers (e.g. revalidating peers, etc). If you clone the `eth2-bootnode` repo and run the server with commensurate config, like this (note: `--bootnode` argument is the ENR of the above server): ``` ./eth2-bootnode --enr-ip 54.163.175.175 --enr-udp 9000 --fork-version '0x01fafafa' --level trace --priv dbcde4fefcfbc014dbad005c283208564d5ba7dbb124ee7726ec0a0a1742cf03 --bootnodes enr:-Ku4QMBSljsxSSMlzYMNdj0cR70ELVhlPz7kezSOToteInHoC5Cejk_KzFAbKtIhKUyzkk8sRGr5ajqmdTwI3PuY-a0Bh2F0dG5ldHOIAAAAAAAAAACEZXRoMpDPW7HzAfr6-v__________gmlkgnY0gmlwhEOg46SJc2VjcDI1NmsxoQIOMGHRfieakkVCGTuVYDXtbX3L27FrfyfsNBAMvdVgSIN1ZHCCIyk ``` you will see the server tries to peer w/ the established bootnode but fails w/ the authentication error above. ## commentary This has been an issue I'm seeing when crawling the eth2 testnets and after trying lots of things, I'm not sure what is going on. In particular, setting up two of these bootnodes and directly peering them is fine... so it is unclear to me why I can't join an existing network. Ideally, I'd start by checking the derived secret from the DH exchange matches on both sides but it is not trivial to modify the Docker image. I've added some logging to the local peer and as far as I can tell, everyone has the right pubkeys, private keys, node IDs, etc.