FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to resolve an IPsec connectivity error which occurs with third party vendors.
Scope
FortiGate.
Solution
Users may observe the following error during VPN troubleshooting with third-party devices:
Error:
ike 0:VPN-to-xxx:5057: ignoring unsupported INFORMATIONAL message 0. ike ::ffff:10x.1xx.1xx.58 truncated control message 0 16 0 ike 0:VPN-to-xxxx:5057: negotiation timeout, deleting ike 0:VPN-to-xxxx: connection expiring due to phase1 down
Possible fixes for the error:
Check for a possible DH group mismatch on both sides.
Disable PFS on both sides.
Make sure both sides are using the correct IKE port - try forcing the NAT-T 4500 port on both sides.
Remove complex keywords in the Pre-shared key on both sides.
Try using IKE V1 instead of V2 on both sides.
Try lowering Encryption on both sides.
Set manually the localid-type in phase1-interface settings. Ensure this matches with what is configured in the third-party device. In most cases, set the localid-type to 'address' and put FortiGate's local gateway IP as the localid.
If FortiGate is behind NAT, add FortiGate's original IP as a secondary remote gateway on the third-party device.
If all the above possible steps do not work, then it requires collection of ISAKMP packet capture from the remote end to verify whether the proposal is coming or only informational messages are received at the FortiGate end.
