- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x
A IPSEC tunnel between Barracuda NG Firewall and Checkpoint NG R65 does not establish. Phase1 and Phase2 settings are equal on both gateways.
Following message is displayed in the ike.log:Notice srv_sve_ike[PID]: message_parse_payloads: invalid next payload type <Unknown 118> in payload of type 8
Notice srv_sve_ike[PID]: dropped message from x.x.x.x port 500 due to notification type INVALID_PAYLOAD_TYPE
This problem only occurs if the tunnel uses single host IPs for the remote and the local net. The Checkpoint insert in this case not the official gateway IP as "ipsec_validate_id_information: IPv4:" value but it uses the single host IP address from the remote and local net.
To check the value, you must set the ipsec debug level to 99 and search for this value in the ike.log:
Info srv_sve_ike[PID]: ipsec_validate_id_information: IPv4:
Info srv_sve_ike[PID]: <IP-address in hexadezimal format>
The value <IP-address in hexadezimal format> is the IPv4 address which is used as ID and this IP must be the official IP address of the active partner (normally the checkpoint).
Do not use single host IP addresses for remote and local net in the tunnel configuartion. Always use a whole nets (a netmask with 2 bit in phion notation is enough).