FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes the solution to solve the Error "INVALID_KE_PAYLOAD" received on the IKE debug.
Scope
Solution
- From the IKE debug if you see the error "INVALID_KE_PAYLOAD" as below:
ike 1:IPSEC2VPN:11209: received create-child response ike 1:IPSEC2VPN:11209: initiator received CREATE_CHILD msg ike 1:IPSEC2VPN:11209:Mashroat-4:13324: found child SA SPI a4937110 state=3 ike 1:IPSEC2VPN:11209: processing notify type INVALID_KE_PAYLOAD ike 1:IPSEC2VPN:11209: initiator preparing to resend CREATE_CHILD with DH group 5
The above error is seen due the mismatch in the PFS setting in Phase2 of the IPSEC VPN.
Solution:
- Verify if the PFS is enabled on both peers.
- Verify if the DH-Group is same on both end.
- Enable the PFS on the phase2 of tunnel and selected the DH-Grp as selected on remote peer. - The phase2 will be up and active
