Description |
This article describes how to solve the 'AUTHENTICATION_FAILED' error while IPsec tunnel negotiation between FortiGate and Cisco.
In this example:
Site-to-Site IPsec VPN between FortiGate on AWS and Cisco using IKEv2 is not coming up. Debug on the FortiGate is showing 'AUTHENTICATION_FAILED'.
Below is the debug output on the FortiGate:
2022-09-16 14:08:04.722079 ike 0:B1:49836: sent IKE msg (AUTH): 10.1.1.1:500->10.2.2.2:500, len=240, vrf=0, id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001 id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001 len=80 FA166E5F335244FA4A3B5F076AD120E2A3C5A16F324AA27C6A6A7BF52D604777FE2
Debug on the Cisco, the peer’s identity type can be seen as FQDN. Below is the debug output on the Cisco firewall:
Sep 16 00:19:48.293 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Received Packet [From 10.1.1.1:500/To 10.2.2.2:500/VRF i0:f5]
This issue could occur when the local-id-type is set to auto. |
Scope | IPSec tunnel on FortiGate. |
Solution |
To resolve this issue, when configuring IPsec tunnels with vendor devices, set the local-id-type to address or whatever the remote peer is expecting from FortiGate:
config vpn ipsec phase1-interface
The default behavior of the FortiGate concerning local ID and local ID type (as of FortiOS 7.4.5/7.6.0) is as follows:
Hence whenever configuring an IP address as the local ID, make sure to configure the local ID type as an address as needed (important when configuring IPsec tunnels with vendor devices).
Note: This applies to the other 3rd party vendors, as well as UniFi and WatchGuard, when using an IKEv2 IPsec tunnel with FortiGate. |