It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

IPSEC Tunnel between Barracuda NG Firewall and Checkpoint NGX R65 does not establish

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00005243 
This solution replies to:
- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x


A IPSEC tunnel between Barracuda NG Firewall and Checkpoint NG R65 does not establish. Phase1 and Phase2 settings are equal on both gateways.


Following message is displayed in the ike.log: 

Notice    srv_sve_ike[PID]: message_parse_payloads: invalid next payload type <Unknown 118> in payload of type 8
Notice    srv_sve_ike[PID]: dropped message from x.x.x.x port 500 due to notification type INVALID_PAYLOAD_TYPE


This problem only occurs if the tunnel uses single host IPs for the remote and the local net. The Checkpoint insert in this case not the official gateway IP as "ipsec_validate_id_information: IPv4:" value but it uses the single host IP address from the remote and local net.


To check the value, you must set the ipsec debug level to 99 and search for this value in the ike.log:

  Info   srv_sve_ike[PID]: ipsec_validate_id_information: IPv4:
  Info   srv_sve_ike[PID]: <IP-address in hexadezimal format>


The value <IP-address in hexadezimal format> is the IPv4 address which is used as ID and this IP must be the official IP address of the active partner (normally the checkpoint).


Do not use single host IP addresses for remote and local net in the tunnel configuartion. Always use a whole nets (a netmask with 2 bit in phion notation is enough).



Link to This Page: