FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff
Article Id 334394
Description This article describes how to resolve an IPsec phase-1 issue that occurs due to auth_retransmit or ident_r2send.
Scope Any supported version of FortiOS.
Solution

Error in IKE debug:

 

sh full | grep id
set localid "prince_1.test.com"  
set localid-type fqdn     <- By default, the ID type is the address of the local IPsec gateway.

 

IKE DEBUG:

 

ike 0:52f3ff3a95e3272a/0000000000000000:33250: ISAKMP SA lifetime=86400
ike 0:52f3ff3a95e3272a/0000000000000000:33250: SA proposal chosen, matched gateway IPSEC_S2S
ike 0: found IPSEC_S2S 10.5.31.220 3 -> 10.5.29.43:500

 

ike 0:IPSEC_S2S:33251: sent IKE msg (ident_r1send): 10.5.31.220:500->10.5.29.43:500, len=192, vrf=0, id=8b3f1e5f62158426/bd5c6c33a6ac7b50
ike 0: comes 10.5.29.43:500->10.5.31.220:500,ifindex=3,vrf=0....

ike 0:IPSEC_S2S:33251: sent IKE msg (ident_r2send): 10.5.31.220:500->10.5.29.43:500, len=380, vrf=0, id=8b3f1e5f62158426/bd5c6c33a6ac7b50
ike 0:IPSEC_S2S:33251: ISAKMP SA 8b3f1e5f62158426/bd5c6c33a6ac7b50 key 16:7443A8E97F343EF3E55C284808DEBC6D

 

IPSEC monitorIPSEC monitor

 

After putting the local ID type as the address in the remote side:

 

edit IPSEC_S2S 

set localid-type address

 

After setting id type as addressAfter setting id type as address

 

Note:

In an IPsec tunnel between sonicwall or sophos, if the phase-1 is down with Retransmit_AUTH or ident_r2send, check the local ID type and local ID settings.

This fails because in IKE msg 5 and 6 are failed in identification of the remote peer.

 

Related document:

Troubleshooting Tip: IPsec Site-to-Site Tunnel Connectivity

Contributors