Description
This article describes how to troubleshoot the issue when IPsec IKEv2 tunnel goes down.
Solution
Considering FortiGate to be initiator and Checkpoint to be responder in the setup.
As IKEv2 has two phases, IKE_SA_INIT Exchange and IKE_AUTH Exchange.
During the IKE_AUTH Exchange second message, if the notify message (Payload: Notify (41) - INVALID_SYNTAX.), it indicates that it is a Phase 2 selector mismatch
As shown in the packet capture below:
To fix the issue, match the phase 2 selectors on both units.
