Description | This article describes how to resolve an IPsec phase-1 issue that occurs due to auth_retransmit or ident_r2send. |
Scope | Any supported version of FortiOS. |
Solution |
Error in IKE debug:
sh full | grep id
IKE DEBUG:
ike 0:52f3ff3a95e3272a/0000000000000000:33250: ISAKMP SA lifetime=86400
ike 0:IPSEC_S2S:33251: sent IKE msg (ident_r1send): 10.5.31.220:500->10.5.29.43:500, len=192, vrf=0, id=8b3f1e5f62158426/bd5c6c33a6ac7b50 ike 0:IPSEC_S2S:33251: sent IKE msg (ident_r2send): 10.5.31.220:500->10.5.29.43:500, len=380, vrf=0, id=8b3f1e5f62158426/bd5c6c33a6ac7b50
After putting the local ID type as the address in the remote side:
edit IPSEC_S2S set localid-type address
Note: In an IPsec tunnel between sonicwall or sophos, if the phase-1 is down with Retransmit_AUTH or ident_r2send, check the local ID type and local ID settings. This fails because in IKE msg 5 and 6 are failed in identification of the remote peer.
Related document: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.