This article provides guidelines for how to resolve the issue of receiving 'Invalid ESP packet detected (HMAC validation failed)' error messages in your logs.

FortiGate v6.4, v7.0 and v7.2.

HMAC validation failure can occur at the kernel (software) or NPU level (hardware).

If this error appears, try the following:

Disable NPU offload under phase1 and firewall policy.

config vpn ipsec phase1-interface

    edit "name"

        set npu-offload disable

end

config firewall policy

    edit X

        set auto-asic-offload disable

end

HMAC checks are offloaded to network processors by default; disable it to see if that helps.

configure system global

    set ipsec-hmac-offload disable

end

Do 'packet fragmentation' before encapsulating it in ESP.

config vpn ipsec phase1-interface

    edit "name"

        set ip-fragmentation pre-encapsulation

end

If HUB & SPOKE (HQ and Branch) is set up, where the spoke is the one initiating most of the traffic to the HUB, enabling 'fragmentation' only on the spoke site might be enough.

Note:

See if making the change stated in '1' resolves the issue before going to 2, etc.

If the issue persists, open a ticket with Fortinet support.

Related article :

Troubleshooting Tip: 'Invalid ESP packet detected (HMAC validation failed)' VPN error