|
When establishing IPSEC VPN site to site with a peer device using IKEv2, the below error can be seen in IKE debugs during the authentication process:
2024-09-20 18:20:22.440112 ike V=root:0:FGT-VPN:13258: initiator preparing AUTH msg
2024-09-20 18:20:22.440145 ike V=root:0:FGT-VPN:13258: error constructing ID payload
2024-09-20 18:20:22.440185 ike V=root:0:FGT-VPN:13258: schedule delete of IKE SA 7011991fd31065ff/e4b56d049138da90
2024-09-20 18:20:22.440266 ike V=root:0:FGT-VPN:13258: scheduled delete of IKE SA 7011991fd31065ff/e4b56d049138da90
2024-09-20 18:20:22.440407 ike V=root:0:FGT-VPN: connection expiring due to phase1 down
2024-09-20 18:20:22.440441 ike V=root:0:FGT-VPN: going to be deleted
2024-09-20 18:20:22.440480 ike V=root:0:FGT-VPN: schedule auto-negotiate
2024-09-20 18:20:23.446372 ike V=root:0:FGT-VPN: auto-negotiate connection
2024-09-20 18:20:23.446462 ike V=root:0:FGT-VPN:FGT-VPN: created connection: 0x9d02b50 5 X.X.X.X->X.X.X.X:500.
2024-09-20 18:20:23.446513 ike V=root:0:FGT-VPN:FGT-VPN to Remote: chosen to populate IKE_SA traffic-selectors
2024-09-20 18:20:23.446568 ike V=root:0:FGT-VPN: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
After making sure proposals, key lifetime and other phase1 parameters match and are compatible with the VPN peers, check the VPN phase1 config with the next command: 'show vpn ipsec phase1-interface'.
If noticing the 'localid-type' is set under the tunnel name with the issue as below:
config vpn ipsec phase1-interface
edit <Tunnel Name>
set localid-type keyid
end
Then, proceed to unset this command to revert it to its default which is 'localid-type auto' as follows:
config vpn ipsec phase1-interface
edit <Tunnel Name>
unset localid-type
end
After making the changes, the tunnel should come up without ID type mismatch and the error in question.
|
