Problem Summary:

An IPsec tunnel is established between two FortiGate units. While the tunnel is active with IKEv1, issues arise when transitioning to IKEv2. Specifically, the tunnel is only operational on one FortiGate, with the other unit showing the tunnel as down.

Troubleshooting Steps Undertaken:

1. Identification of the IPsec tunnel status between the two FortiGate units.
2. Observing that while using IKEv1, the tunnel remains up, but with IKEv2, discrepancies arise.
3. Debugging showed the error: invalid IKE request SPI.
   
4. Debugging showed the error: 

2025-02-15 18:44:51.376182 ike 1:BOT_NEW_2021:33390541: initiator received AUTH msg
2025-02-15 18:44:51.376188 ike 1:BOT_NEW_2021:33390541: peer identifier IPV4_ADDR    2025-02-15 18:44:51.376204 ike 1:BOT_NEW_2021:33390541: auth verify done
2025-02-15 18:44:51.376209 ike 1:BOT_NEW_2021:33390541: initiator AUTH continuation
2025-02-15 18:44:51.376214 ike 1:BOT_NEW_2021:33390541: authentication failed

The Phase1 configuration had both the 'set authmethod-remote psk' and 'set psksecret-remote psk' settings enabled simultaneously.

1. One of the settings, specifically 'set psksecret-remote', was removed using the command:

unset psksecret-remote

Following this adjustment, the tunnel was successfully activated, displaying both incoming and outgoing traffic.

When configuring an IPsec tunnel with IKEv2 between FortiGate units, ensure the Phase1 settings do not simultaneously use both the 'set authmethod-remote psk' and 'set psksecret-remote psk' settings. Removing the redundant setting, specifically 'set psksecret-remote', will likely resolve the issue.

If the tunnel remains down or any other complications are encountered, consider reaching out to FortiGate support for more comprehensive troubleshooting.

In case of a FortiGate handling a high amount - hundreds or more - of IPsec tunnels in IKEv2 mode, an improvement can be made to stabilize the tunnels' performance especially during re-key stage or Security Association SA renegotiation by limiting the number of tunnels establishing SA simultaneously.

Starting from v7.0.0, FortiOS has included the feature to limit the number of simultaneous SA establishment for IPsec tunnels in IKEv2:

config system ike
    set embryonic-limit <integer> <--- The default is 1000. The maximum is 20000.
end

Note:

• This feature is available for medium and high-end models. Reference document: IPsec global IKE embryonic limit.
• If 'authmethod-remote' is set, the peer authmethod should match the value. If 'authmethod-remote' is not set, it means symmetric authentication is used, and in that case, it should match against the local auth method.
• If trying 'unset psksecret-remote' not accepting in FortiGate and returning the entry is not empty error, 'unset authmethod-remote' in the IPSEC settings will resolve the issue.

Related article:

Technical Tip: Asymmetric pre-shared key with IKEv2 for more information on asymmetric authentication.

Technical Tip: IKEv2 dialup IPsec tunnel with RADIUS server authentication and FortiClient