Troubleshooting Tip: IPSec site-to-site VPN between FortiGate and Sonicwall fails with error message 'ignoring unencrypted INVALID-COOKIE'
| Description | This article explains about IPSec site-to-site VPN between FortiGate and Sonicwall fails with error message 'ignoring unencrypted INVALID-COOKIE'. |
| Scope | FortiGate, IPSec |
| Solution | Topology: FortiGate(Private IP on WAN interface) -> NAT Router(Azure) ->IPsec -> Sonicwall.
IPsec VPN failed to be established when Sonicwall pointed to dynamic IP [i.e FortiDDNS]. Debug output on FortiGate shows, after the second message is received by the initiator 'ignoring unencrypted INVALID-COOKIE' and retransmit.
Note: Sonicwall will not properly recognize the NAT'ed IP.
To address this issue, on the Sonicwall side, add the Peer ID [IPV4 Address] to FortiGate's private IP facing the NAT Router.
If FortiGate is not behind NAT (i.e, FortiGate does not have a private IP), try removing the Local IKE ID and Peer IKE ID on Sonicwall:
Even though FortiGate is not behind NAT and is still facing the same issue, try to define a public IP address in the Sonicwall peer Ike ID.
However, if the SonicWall is running firmware v5.6.2.1 or the latest version, it is mandatory to specify the Local IKE ID; otherwise, the following error will occur:
|
