Description |
This article describes how to solve the authentication problem 'gw validation failed' using IPsec Dialup IKEv2.
See below how the error is displayed while running the debugs:
diagnose vpn ike log-filter dst-addr4 x.x.x.x <--- Remote Public IP address. diagnose debug enable
Note: Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
ike 0:REMOTE:77: peer identifier IPV4_ADDR x.x.x.x
ike 0:REMOTE: connection expiring due to phase1 down |
Scope | FortiGate. |
Solution |
FortiGate IPsec VPN wizard only supports IKEv1 when creating Dial-up tunnels. When IKE is changed from version '1' to '2' some settings are not configured. To authenticate successfully using IKEv2, the below commands must be set under tunnel phase1 settings:
FortiGate-Fw # config vpn ipsec phase1-interface
Note: The tunnel name in this example is 'REMOTE'. Make sure to use the respective name.
The error 'EAP response is empty' can also be seen in the debugs. To resolve that error, follow the below article : Troubleshooting Tip: Using IKEv2 for a dial-up IPsec tunnel with a RADIUS server and Local user
It also provides the debug commands to troubleshoot the issues with dial-up VPN and EAP together. |
Great input thank you @vbarrios
Well done @vbarrios !!!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.