Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sherman_P
Staff
Staff

Created on ‎12-01-2023 12:14 AM Edited on ‎12-29-2025 09:03 AM By Community Manager

Article Id 287073

Technical Tip: IPsec VPN Tunnel between FortiGate and AWS using IKEv2 is not getting established due to received notify type authentication_failed error

Description

 

This article describes how to solve when seeing this error: received notify type authentication_failed.

 

Scope

 

FortiGate.

 

Solution

 

By executing the following commands:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

 

The debug output on the FortiGate (acting as initiator) will be shown below:

 

ike 0:AWS-VPN-1_DGT:97642: initiator received AUTH msg
ike 0:AWS-VPN-1_DGT:97642: received notify type AUTHENTICATION_FAILED
ike 0:AWS-VPN-1_DGT:97642: schedule delete of IKE SA effec40b84bde15a/60df297450867f6c
ike 0:AWS-VPN-1_DGT:97642: scheduled delete of IKE SA effec40b84bde15a/60df297450867f6c
ike 0:AWS-VPN-1_DGT: connection expiring due to phase1 down

 

This issue could likely occur due to a pre-shared key mismatch. The peer end device is detecting a mismatch hence it is sending an AUTH failure. To resolve this issue, re-key the same pre-shared key on both sides of the tunnel.

 

Another possible cause is a mismatch in the local-id type between the FortiGate and the AWS VPN Gateway. Manually specifying the local-id in the phase1-interface configuration and set it to the FortiGate's public WAN IP address can prevent authentication failures.

If the FortiGate has a private IP address and traffic is NATed by an upstream device, configure the local ID to use the public IP address of the upstream NAT device that is translating the traffic.

 

config vpn ipsec phase1-interface

    edit "VPN-to-AWS"

        set interface "port1"

        set ike-version 2

        set keylife 28800

        set peertype any

        set net-device disable

        set proposal aes256-sha384

        set localid "1.79.xx.xx" <----- WAN IP of FortiGate.

        set localid-type address

        set dhgrp 14

        set remote-gw 2.79.xx.xx

        set psksecret ENC

    next

end

 

If issues still appear after the above steps, contact the TAC team via the Fortinet Support Portal for further assistance.

 

Related articles:

Troubleshooting Tip: Error 'received notify type AUTHENTICATION_FAILED' isobtained when the IPSEC tu... 

Technical Tip: IPsec tunnel is not coming up due to error message AUTHENTICATION_FAILED

2212
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.