Description |
This article describes how to solve the 'AUTHENTICATION_FAILED' error while IPSec tunnel negotiation between FortiGate and Cisco.
In this example: - 10.1.1.1 is an IP on FortiGate. - 10.2.2.2 is an IP on Cisco ASA.
Site to Site IPSec VPN between FortiGate on AWS and Cisco using IKEv2 is not coming up. Debug on the FortiGate is showing 'AUTHENTICATION_FAILED'. Below is the debug output on the FortiGate:
2022-09-16 14:08:04.722079 ike 0:B1:49836: sent IKE msg (AUTH): 10.1.1.1:500->10.2.2.2:500, len=240, vrf=0, id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001
Debug on the Cisco, the peer’s identity type can be seen as FQDN. Below is the debug output on the Cisco firewall:
Sep 16 00:19:48.293 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Received Packet [From 10.1.1.1:500/To 10.2.2.2:500/VRF i0:f5]
This issue could occur when the local-id-type is set to auto: |
Scope | FortiGate AWS, 7.0.6 |
Solution |
To resolve this issue, set the local-id-type to address or whatever the remote peer is expecting from FortiGate:
# config vpn ipsec phase1-interface |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.