diff --git a/history.txt b/history.txt
index b8a97b8a76..2cf427d997 100644
--- a/history.txt
+++ b/history.txt
@@ -1,3 +1,6 @@
+2018-08-19 zzz
+ * NTCP2: Catch bad IV exception
+
 2018-08-16 zzz
  * i2ptunnel: Change read timeout defaults now that streaming timeout works
 
diff --git a/router/java/src/net/i2p/router/RouterVersion.java b/router/java/src/net/i2p/router/RouterVersion.java
index f7d70ed0aa..3c775e75ad 100644
--- a/router/java/src/net/i2p/router/RouterVersion.java
+++ b/router/java/src/net/i2p/router/RouterVersion.java
@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 24;
+    public final static long BUILD = 25;
 
     /** for example "-test" */
     public final static String EXTRA = "-rc";
diff --git a/router/java/src/net/i2p/router/transport/ntcp/NTCPConnection.java b/router/java/src/net/i2p/router/transport/ntcp/NTCPConnection.java
index 118879e2c4..b589bd070a 100644
--- a/router/java/src/net/i2p/router/transport/ntcp/NTCPConnection.java
+++ b/router/java/src/net/i2p/router/transport/ntcp/NTCPConnection.java
@@ -242,16 +242,22 @@ public class NTCPConnection implements Closeable {
      * Caller MUST call transport.establishing(this) after construction.
      *
      * @param version must be 1 or 2
+     * @throws DataFormatException if there's a problem with the address
      */
     public NTCPConnection(RouterContext ctx, NTCPTransport transport, RouterIdentity remotePeer,
-                          RouterAddress remAddr, int version) {
+                          RouterAddress remAddr, int version) throws DataFormatException {
         this(ctx, transport, remAddr, false);
         _remotePeer = remotePeer;
         _version = version;
-        if (version == 1)
+        if (version == 1) {
             _establishState = new OutboundEstablishState(ctx, transport, this);
-        else
-            _establishState = new OutboundNTCP2State(ctx, transport, this);
+        } else {
+            try {
+                _establishState = new OutboundNTCP2State(ctx, transport, this);
+            } catch (IllegalArgumentException iae) {
+                throw new DataFormatException("bad address? " + remAddr, iae);
+            }
+        }
     }
 
     /**
diff --git a/router/java/src/net/i2p/router/transport/ntcp/NTCPTransport.java b/router/java/src/net/i2p/router/transport/ntcp/NTCPTransport.java
index 040f2b4ff6..3b58a78e9e 100644
--- a/router/java/src/net/i2p/router/transport/ntcp/NTCPTransport.java
+++ b/router/java/src/net/i2p/router/transport/ntcp/NTCPTransport.java
@@ -29,6 +29,7 @@ import java.util.concurrent.ConcurrentHashMap;
 
 import net.i2p.crypto.SigType;
 import net.i2p.data.Base64;
+import net.i2p.data.DataFormatException;
 import net.i2p.data.DataHelper;
 import net.i2p.data.Hash;
 import net.i2p.data.router.RouterAddress;
@@ -334,12 +335,18 @@ public class NTCPTransport extends TransportImpl {
                     if (addr != null) {
                         newVersion = getNTCPVersion(addr);
                         if (newVersion != 0) {
-                            con = new NTCPConnection(_context, this, ident, addr, newVersion);
-                            establishing(con);
-                            //if (_log.shouldLog(Log.DEBUG))
-                            //    _log.debug("Send on a new con: " + con + " at " + addr + " for " + ih);
-                            // Note that outbound conns go in the map BEFORE establishment
-                            _conByIdent.put(ih, con);
+                            try {
+                                con = new NTCPConnection(_context, this, ident, addr, newVersion);
+                                establishing(con);
+                                //if (_log.shouldLog(Log.DEBUG))
+                                //    _log.debug("Send on a new con: " + con + " at " + addr + " for " + ih);
+                                // Note that outbound conns go in the map BEFORE establishment
+                                _conByIdent.put(ih, con);
+                            } catch (DataFormatException dfe) {
+                                if (_log.shouldWarn())
+                                    _log.warn("bad address? " + target, dfe);
+                                fail = true;
+                            }
                         } else {
                             fail = true;
                         }
diff --git a/router/java/src/net/i2p/router/transport/ntcp/OutboundNTCP2State.java b/router/java/src/net/i2p/router/transport/ntcp/OutboundNTCP2State.java
index 64beb3a24e..bb1aa2f278 100644
--- a/router/java/src/net/i2p/router/transport/ntcp/OutboundNTCP2State.java
+++ b/router/java/src/net/i2p/router/transport/ntcp/OutboundNTCP2State.java
@@ -94,6 +94,9 @@ class OutboundNTCP2State implements EstablishState {
         CORRUPT
     }
     
+    /**
+     * @throws IllegalArgumentException on bad address in the con
+     */
     public OutboundNTCP2State(RouterContext ctx, NTCPTransport transport, NTCPConnection con) {
         _context = ctx;
         _log = ctx.logManager().getLog(getClass());