Troubleshooting Tip : Cisco Viptela shows IDir does not match.

This article describes the problem when configuring IPsec VPN between FortiGate and Cisco Viptela. Cisco Viptela shows IDir does not match even though the IP address in the ID does match.

An example of the error log from Cisco Viptela:

13[NET] sending packet: from 203.0.113.7[4500] to 198.51.100.1[4500] (108 bytes)

05[NET] received packet: from 198.51.100.1[4500] to 203.0.113.7[4500] (76 bytes)

05[ENC] parsed ID PROT response 0 [ ID HASH ]

05[IKE] IDir '198.51.100.1' does not match to          '198.51.100.1'

The IP address 198.51.100.1 does match but Cisco Viptela show does not match because the peer-id type may be mismatched. The default peer-id is auto, so it should be changed to address.

# config vpn ipsec phase1-interface
    edit <phase1name>
      set local id-type address

          next
  end