Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbarrios
Staff
Staff

Created on ‎09-24-2024 08:27 PM Edited on ‎11-28-2025 08:31 AM By Community Manager

Article Id 342952

Technical Tip: How to fix error constructing ID payload in IKE debugs

Description This article explains how to fix a phase1 issue about 'error constructing ID payload'.
Scope FortiGate.
Solution

When establishing IPsec VPN site-to-site with a peer device using IKEv2, the following error may be seen in IKE debugs during the authentication process by using following commands:

 

diagnose debug console timestamp enable

diagnose vpn ike log filter dst-addr4 /rem-addr4 x.x.x.x  <----- Remote gateway IP address.

diagnose debug application ike -1

diagnose debug enable

 

2024-09-20 18:20:22.440112 ike V=root:0:FGT-VPN:13258: initiator preparing AUTH msg
2024-09-20 18:20:22.440145 ike V=root:0:FGT-VPN:13258: error constructing ID payload
2024-09-20 18:20:22.440185 ike V=root:0:FGT-VPN:13258: schedule delete of IKE SA 7011991fd31065ff/e4b56d049138da90
2024-09-20 18:20:22.440266 ike V=root:0:FGT-VPN:13258: scheduled delete of IKE SA 7011991fd31065ff/e4b56d049138da90
2024-09-20 18:20:22.440407 ike V=root:0:FGT-VPN: connection expiring due to phase1 down
2024-09-20 18:20:22.440441 ike V=root:0:FGT-VPN: going to be deleted
2024-09-20 18:20:22.440480 ike V=root:0:FGT-VPN: schedule auto-negotiate
2024-09-20 18:20:23.446372 ike V=root:0:FGT-VPN: auto-negotiate connection
2024-09-20 18:20:23.446462 ike V=root:0:FGT-VPN:FGT-VPN: created connection: 0x9d02b50 5 X.X.X.X->X.X.X.X:500.
2024-09-20 18:20:23.446513 ike V=root:0:FGT-VPN:FGT-VPN to Remote: chosen to populate IKE_SA traffic-selectors
2024-09-20 18:20:23.446568 ike V=root:0:FGT-VPN: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation

 

After making sure proposals, key lifetime and other phase1 parameters match and are compatible with the VPN peers, check the VPN phase1 config with the next command: 'show vpn ipsec phase1-interface'.
 

If noticing the 'localid-type' is set under the tunnel name with the issue as below:

config vpn ipsec phase1-interface
 edit <Tunnel Name>
  set localid-type keyid
end


Then, proceed to unset this command to revert it to its default which is 'localid-type auto' as follows:

 

config vpn ipsec phase1-interface
    edit <Tunnel Name>
    unset localid-type 
end

 

After making the changes, the tunnel should come up without ID type mismatch and the error in question. 
1351
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.