FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to solve the authentication problem 'gw validation failed' using IPSEC Dialup IKEv2.
See below how the error is displayed while running the debugs:
diagnose debug app ike -1
diagnose debug enable
ike 0:REMOTE:77: peer identifier IPV4_ADDR x.x.x.x ike 0:REMOTE:77: re-validate gw ID ike 0:REMOTE:77: gw validation failed
ike 0:REMOTE: connection expiring due to phase1 down ike 0:REMOTE: deleting ike 0:REMOTE: deleted
Scope
FortiGate.
Solution
FortiGate IPSEC VPN wizard only supports IKEv1 when creating Dial-up tunnels. When IKE is changed from version '1' to '2' some settings are not configured. To authenticate successfully using IKEv2, the below commands must be set under tunnel phase1 settings:
FortiGate-Fw # config vpn ipsec phase1-interface FortiGate-Fw (phase1-interface) # edit REMOTE FortiGate-Fw (REMOTE) # set eap enable FortiGate-Fw (REMOTE) # set eap-identity send-request FortiGate-Fw (REMOTE) # set authusrgrp <User Group name> FortiGate-Fw (REMOTE) # end
Note:
The tunnel name in this example is 'REMOTE'. Make sure to use the respective name.
The error 'EAP response is empty' can also be seen in the debugs. To resolve that error, follow the below article :
