FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ssriswadpong
Staff
Staff
Article Id 209323

 

Description

This article describes the problem when configuring IPsec VPN between FortiGate and Cisco Viptela. Cisco Viptela shows IDir does not match even though the IP address in the ID does match.

Scope FortiGate.
Solution

An example of the error log from Cisco Viptela:


13[NET] sending packet: from 203.0.113.7[4500] to 198.51.100.1[4500] (108 bytes)

05[NET] received packet: from 198.51.100.1[4500] to 203.0.113.7[4500] (76 bytes)

05[ENC] parsed ID PROT response 0 [ ID HASH ]

05[IKE] IDir '198.51.100.1' does not match to          '198.51.100.1'

The IP address 198.51.100.1 does match but Cisco Viptela show does not match because the peer-id type may be mismatched. The default peer-id is auto, so it should be changed to address.

 

# config vpn ipsec phase1-interface
    edit <phase1name>
      set local id-type address

          next
  end

 

Contributors