When IPSec Dialup is configured with IKEv2, following errors may be displayed in the below debugs when attempting to connect to VPN.

diagnose vpn ike log-filter src-addr4 x.x.x.x  <--- Public IP address of the user attempting to connect to VPN.
diagnose debug app ike -1 

diagnose debug enable

     .

ike 0:REMOTE:77: peer identifier IPV4_ADDR x.x.x.x
ike 0:REMOTE:77: re-validate gw ID
ike 0:REMOTE:77: gw validation failed

ike 0:REMOTE: connection expiring due to phase1 down
ike 0:REMOTE: deleting
ike 0:REMOTE: deleted

Note: Starting from v7.4.1, the 'diagnose vpn ike log-filter src-addr4 <IP>' command has been changed to 'diagnose vpn ike log filter loc-addr4 <IP>'.

Use case1:
FortiGate IPsec VPN wizard only supports IKEv1 when creating Dial-up tunnels. When IKE is changed from version '1' to '2' some settings are not configured. To authenticate successfully using IKEv2, the below commands must be set under tunnel phase1 settings: 

FortiGate-Fw # config vpn ipsec phase1-interface
FortiGate-Fw (phase1-interface) # edit REMOTE
FortiGate-Fw (REMOTE) # set eap enable
FortiGate-Fw (REMOTE) # set eap-identity send-request
FortiGate-Fw (REMOTE) # set authusrgrp <User Group name>
FortiGate-Fw (REMOTE) # end

Note:

• The tunnel name in this example is 'REMOTE'. Make sure to use the respective name. 
• Firewall policy/s should not contain the user group defined in IPSEC phase1 authusrgrp. Otherwise, it will match implicit deny policy.
• eap should be disabled when IPSec VPN dial-up is configured to autoconnect using Microsoft Entra ID.

Related document:

Autoconnect to IPsec VPN using Entra ID logon session information

FortiGate-Fw # config vpn ipsec phase1-interface
FortiGate-Fw (phase1-interface) # edit IPSec_Auto_Connect

FortiGate-Fw (IPSec_Auto_Connect) # set eap disable

FortiGate-Fw (IPSec_Auto_Connect) # end

• The error 'EAP response is empty' can also be seen in the debugs. To resolve that error, follow the below KB article : Troubleshooting Tip: Using IKEv2 for a dial-up IPsec tunnel with a RADIUS server and Local user

It also provides the debug commands to troubleshoot the issues with dial-up VPN and EAP together. 

Use case 2:
In a Dial-up IPsec VPN setup using SAML authentication, the following errors may appear if the Peer ID is configured in the IPsec Phase 1 settings on FortiGate but the Local ID is not set on FortiClient.

FortiGate-Fw # config vpn ipsec phase1-interface
FortiGate-Fw (phase1-interface) # edit REMOTE
FortiGate-Fw (REMOTE) # set peerid "fortinet"
FortiGate-Fw (REMOTE) # end

ike 0:IPsecVPN_saml:381: received FCT-UID = B041A92A44754A61BE5F6A8B2B64E2
ike 0:IPsecVPN_saml:381: received EMS SN : FCTEMS*******
ike 0:IPsecVPN_saml:381: received EMS tenant ID : 00000000000000000000000000000000
ike 0:IPsecVPN_saml:381: peer identifier IPV4_ADDR 192.168.1.222
ike 0:IPsecVPN_saml:381: re-validate gw ID
ike 0:IPsecVPN_saml:381: gw validation failed
ike 0:IPsecVPN_saml:381: schedule delete of IKE SA d8813abeaecd89/9f83068932fba0
ike 0:IPsecVPN_saml:381: scheduled delete of IKE SA d8813abeaecd89/9f83068932fba0
ike 0:IPsecVPN_saml: connection expiring due to phase1 down

To resolve this issue, configure the Local ID on FortiClient to match the Peer ID set on FortiGate in the IPsec Phase 1 configuration:

ike 0:IPsecVPN_saml:381: received FCT-UID = B041A92A44754A61BE5F6A8B2B64E2
ike 0:IPsecVPN_saml:381: received EMS SN : FCTEMS*******
ike 0:IPsecVPN_saml:381: received EMS tenant ID : 00000000000000000000000000000000
ike 0:IPsecVPN_saml:381: received peer identifier FQDN 'fortinet'
ike 0:IPsecVPN_saml:381: re-validate gw ID
ike 0:IPsecVPN_saml:381: gw validation OK