Security Gateway with configured VTI interfaces sends the IKEv2 "NAT_DETECTION_SOURCE_IP" payload with IP address of its VTI interfaces, even though VTI interfaces are not supported in IKEv2.
If there are more than 25 configured VTI interfaces, then "Too many payloads" error occurs and IKEv2 negotiation fails.
Security Gateway participates in two VPN Site-to-Site communities:
- for one VPN community, Security Gateway uses VTI (with IKEv1):
Community1: GWa <-> GWb, IKEv1, Route Based VPN, VTI (so GWa would have encryption domain of empty group)
- for the VPN other community, Security Gateway uses IKEv2:
Community2: GWa <-> GWc, IKEv2 (GWc would have encryption domain)