Troubleshooting TIp: IPsec issues encountered with a local ID as FQDN

princes · ‎08-19-2024

Description

This article describes how to resolve an IPsec phase-1 issue that occurs due to auth_retransmit or ident_r2send.

Scope

Any supported version of FortiOS.

Solution

Error in IKE debug:

sh full | grep id
set localid "prince_1.test.com"
set localid-type fqdn <- By default, the ID type is the address of the local IPsec gateway.

IKE DEBUG:

ike 0:52f3ff3a95e3272a/0000000000000000:33250: ISAKMP SA lifetime=86400
ike 0:52f3ff3a95e3272a/0000000000000000:33250: SA proposal chosen, matched gateway IPSEC_S2S
ike 0: found IPSEC_S2S 10.5.31.220 3 -> 10.5.29.43:500

ike 0:IPSEC_S2S:33251: sent IKE msg (ident_r1send): 10.5.31.220:500->10.5.29.43:500, len=192, vrf=0, id=8b3f1e5f62158426/bd5c6c33a6ac7b50
ike 0: comes 10.5.29.43:500->10.5.31.220:500,ifindex=3,vrf=0....

ike 0:IPSEC_S2S:33251: sent IKE msg (ident_r2send): 10.5.31.220:500->10.5.29.43:500, len=380, vrf=0, id=8b3f1e5f62158426/bd5c6c33a6ac7b50
ike 0:IPSEC_S2S:33251: ISAKMP SA 8b3f1e5f62158426/bd5c6c33a6ac7b50 key 16:7443A8E97F343EF3E55C284808DEBC6D

IPSEC monitor

After putting the local ID type as the address in the remote side:

edit IPSEC_S2S

set localid-type address

After setting id type as address

Note:

In an IPsec tunnel between sonicwall or sophos, if the phase-1 is down with Retransmit_AUTH or ident_r2send, check the local ID type and local ID settings.

This fails because in IKE msg 5 and 6 are failed in identification of the remote peer.

Related document:

Troubleshooting Tip: IPsec Site-to-Site Tunnel Connectivity

Troubleshooting TIp: IPsec issues encountered with a local ID as FQDN

You are leaving our website