Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ranand
Staff
Staff

Created on ‎11-25-2021 11:22 PM

Article Id 199657

Troubleshooting Tip: IPSEC VPN down due to Error INVALID_KE_PAYLOAD

Description This article describes the solution to solve the Error "INVALID_KE_PAYLOAD" received on the IKE debug.
Scope  
Solution

- From the IKE debug if you see the error "INVALID_KE_PAYLOAD" as below:

ike 1:IPSEC2VPN:11209: received create-child response
ike 1:IPSEC2VPN:11209: initiator received CREATE_CHILD msg
ike 1:IPSEC2VPN:11209:Mashroat-4:13324: found child SA SPI a4937110 state=3
ike 1:IPSEC2VPN:11209: processing notify type INVALID_KE_PAYLOAD
ike 1:IPSEC2VPN:11209: initiator preparing to resend CREATE_CHILD with DH group 5

 

The above error is seen due the mismatch in the PFS setting in Phase2 of the IPSEC VPN.

 

Solution:

 

- Verify if the PFS is enabled on both peers.

- Verify if the DH-Group is same on both end.


- Enable the PFS on the phase2 of tunnel and selected the DH-Grp as selected on remote peer.
- The phase2 will be up and active

 

Labels:
9355
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.