Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sherman_P
Staff
Staff

Created on ‎12-01-2023 12:14 AM

Article Id 287073

Technical Tip: IPSEC VPN Tunnel between FortiGate and AWS using IKEv2 is not getting established due to received notify type authentication_failed error

Description

 

This article describes how to solve when seeing this error: received notify type authentication_failed.

 

Scope

 

FortiGate.

 

Solution

 

By executing the following commands:

 

diag debug reset
diag debug console timestamp enable
diag debug application ike -1
diag debug enable

 

The debug output on the FortiGate (acting as initiator) will be shown as below:

 

ike 0:AWS-VPN-1_DGT:97642: initiator received AUTH msg
ike 0:AWS-VPN-1_DGT:97642: received notify type AUTHENTICATION_FAILED
ike 0:AWS-VPN-1_DGT:97642: schedule delete of IKE SA effec40b84bde15a/60df297450867f6c
ike 0:AWS-VPN-1_DGT:97642: scheduled delete of IKE SA effec40b84bde15a/60df297450867f6c
ike 0:AWS-VPN-1_DGT: connection expiring due to phase1 down

 

This issue could likely occur due to a pre-shared key mismatch. The peer end device is detecting a mismatch hence it is sending an AUTH failure.

To resolve this issue, re-key the same pre-shared key on both sides of the tunnel.

 

If issues are still appearing after the above steps, contact the TAC for further assistance.

584
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.