FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vbarrios
Staff
Staff
Article Id 339644
Description

This article describes how to solve the authentication problem 'gw validation failed' using IPsec Dialup IKEv2.

 

See below how the error is displayed while running the debugs:

 

diagnose vpn ike log-filter dst-addr4 x.x.x.x  <--- Remote Public IP address.
diagnose debug app ike -1 

diagnose debug enable

 

Note:

Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

 

ike 0:REMOTE:77: peer identifier IPV4_ADDR x.x.x.x
ike 0:REMOTE:77: re-validate gw ID
ike 0:REMOTE:77: gw validation failed

 

ike 0:REMOTE: connection expiring due to phase1 down
ike 0:REMOTE: deleting
ike 0:REMOTE: deleted

Scope FortiGate.
Solution

FortiGate IPsec VPN wizard only supports IKEv1 when creating Dial-up tunnels. When IKE is changed from version '1' to '2' some settings are not configured. To authenticate successfully using IKEv2, the below commands must be set under tunnel phase1 settings: 

 

FortiGate-Fw # config vpn ipsec phase1-interface
FortiGate-Fw (phase1-interface) # edit REMOTE
FortiGate-Fw (REMOTE) # set eap enable
FortiGate-Fw (REMOTE) # set eap-identity send-request
FortiGate-Fw (REMOTE) # set authusrgrp <User Group name>
FortiGate-Fw (REMOTE) # end

 

Note:

The tunnel name in this example is 'REMOTE'. Make sure to use the respective name. 

 

The error 'EAP response is empty' can also be seen in the debugs. To resolve that error, follow the below article :

Troubleshooting Tip: Using IKEv2 for a dial-up IPsec tunnel with a RADIUS server and Local user

 

It also provides the debug commands to troubleshoot the issues with dial-up VPN and EAP together. 

Comments
GILMENDO
Staff
Staff

Great input thank you @vbarrios 

MaryBolano
Staff
Staff

Well done @vbarrios !!!