We may encounter the above error when PSK is mismatched or when the hash or message authentication code sent by the peer doesn’t match what the receiving end expects. 

2024-08-08 10:31:25.814555 ike 0:TPI:364847: notify msg received: INVALID-HASH-INFORMATION 
2024-08-08 10:31:26.076927 ike 0:TPI:364847: notify msg received: R-U-THERE 
2024-08-08 10:31:26.077801 ike 0:TPI:364847: out  
2024-08-08 10:31:26.077823 ike 0:TPI:364847: sent IKE msg (R-U-THERE-ACK): 10.250.134.18:4500->47.46.163.214:4500, len=92, vrf=0, id=5f8465cbdee3b5ca/0dd7f5e574e060f9:17b225cb 

2024-08-08 10:31:41.078087 ike 0:TPI:364847: notify msg received: R-U-THERE 
2024-08-08 10:31:41.078793 ike 0:TPI:364847: enc  
2024-08-08 10:31:41.079886 ike 0:TPI:364847: sent IKE msg (R-U-THERE-ACK): 10.250.134.18:4500->47.46.163.214:4500, len=92, vrf=0, id=5f8465cbdee3b5ca/0dd7f5e574e060f9:254250d8 
2024-08-08 10:31:43.394946 ike 0:TPI:TPI: IPsec SA connect 3 10.250.134.18->97.46.163.214:4500 
 

By default, FortiGate acts as the initiator. 

 
If FortiGate is made the responder, it waits for the remote peer to initiate the connection. When the FortiGate initiates, it uses its own local and remote IDs based on its configuration, which might not align with what the remote device expects. By letting the remote device initiate, the FortiGate receives the expected IDs from the remote device and can adjust its settings accordingly. 

Refer to this article to make FortiGate act as a responder. For example:

config vpn ipsec phase1-interface

edit <tunnel>

    set passive-mode enable

    end

Additionally, make sure that the local ID on the FortiGate matches the remote ID on the third-party device and vice versa.