Troubleshooting Tip: IPSEC VPN down due to Error INVALID_KE_PAYLOAD

- From the IKE debug if you see the error "INVALID_KE_PAYLOAD" as below:

ike 1:IPSEC2VPN:11209: received create-child response
ike 1:IPSEC2VPN:11209: initiator received CREATE_CHILD msg
ike 1:IPSEC2VPN:11209:Mashroat-4:13324: found child SA SPI a4937110 state=3
ike 1:IPSEC2VPN:11209: processing notify type INVALID_KE_PAYLOAD
ike 1:IPSEC2VPN:11209: initiator preparing to resend CREATE_CHILD with DH group 5

The above error is seen due the mismatch in the PFS setting in Phase2 of the IPSEC VPN.

Solution:

- Verify if the PFS is enabled on both peers.

- Verify if the DH-Group is same on both end.

- Enable the PFS on the phase2 of tunnel and selected the DH-Grp as selected on remote peer.
- The phase2 will be up and active