This article describes how to solve the 'AUTHENTICATION_FAILED' error while IPSec tunnel negotiation between FortiGate and Cisco.
In this example:
- 10.1.1.1 is an IP on FortiGate.
- 10.2.2.2 is an IP on Cisco ASA.
Site to Site IPSec VPN between FortiGate on AWS and Cisco using IKEv2 is not coming up. Debug on the FortiGate is showing 'AUTHENTICATION_FAILED'.
Below is the debug output on the FortiGate:
2022-09-16 14:08:04.722079 ike 0:B1:49836: sent IKE msg (AUTH): 10.1.1.1:500->10.2.2.2:500, len=240, vrf=0, id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001
Debug on the Cisco, the peer’s identity type can be seen as FQDN. Below is the debug output on the Cisco firewall:
Sep 16 00:19:48.293 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Received Packet [From 10.1.1.1:500/To 10.2.2.2:500/VRF i0:f5]
This issue could occur when the local-id-type is set to auto:
|Scope||FortiGate AWS, 7.0.6|
To resolve this issue, set the local-id-type to address or whatever the remote peer is expecting from FortiGate:
# config vpn ipsec phase1-interface