Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff

Created on ‎09-26-2022 01:09 PM Edited on ‎12-25-2022 08:56 AM By Community Manager

Article Id 224888

Troubleshooting Tip: FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with Cisco

Description

This article describes how to solve the 'AUTHENTICATION_FAILED' error while IPSec tunnel negotiation between FortiGate and Cisco.

 

In this example:

- 10.1.1.1 is an IP on FortiGate.

- 10.2.2.2 is an IP on Cisco ASA.

 

Site to Site IPSec VPN between FortiGate on AWS and Cisco using IKEv2 is not coming up. Debug on the FortiGate is showing 'AUTHENTICATION_FAILED'.

Below is the debug output on the FortiGate:  

 

2022-09-16 14:08:04.722079 ike 0:B1:49836: sent IKE msg (AUTH): 10.1.1.1:500->10.2.2.2:500, len=240, vrf=0, id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001
2022-09-16 14:08:04.747045 ike 0: comes 10.2.2.2:500->10.1.1.1:500,ifindex=3,vrf=0....
2022-09-16 14:08:04.747059 ike 0: IKEv2 exchange=AUTH_RESPONSE id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001 len=80
2022-09-16 14:08:04.747072 ike 0: in 93CF8DED66F1BB7CE34F9641E22C3CE32E20232000000001000000502900003436FE4BDB3A3D8A55A6F939B558473FA166E5F335244FA4A3B5F076AD120E2A3C5A
16F324AA27C6A6A7BF52D604777FE2
2022-09-16 14:08:04.747083 ike 0:B1:49836: dec 93CF8DED66F1BB7CE34F9641E22C3CE32E2023200000000100000028290000040000000800000018
2022-09-16 14:08:04.747095 ike 0:B1:49836: initiator received AUTH msg
2022-09-16 14:08:04.747101 ike 0:B1:49836: received notify type AUTHENTICATION_FAILED

 

Debug on the Cisco, the peer’s identity type can be seen as FQDN. Below is the debug output on the Cisco firewall:

 

Sep 16 00:19:48.293 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Received Packet [From 10.1.1.1:500/To 10.2.2.2:500/VRF i0:f5]
Initiator SPI : B00BFE07C3FF2CE0 - Responder SPI : A021B9EFEC57B189 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi NOTIFY(INITIAL_CONTACT) AUTH NOTIFY(Unknown - 16420) SA TSi TSr

Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Stopping timer to wait for auth message
Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Checking NAT discovery
Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):NAT not found
Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Searching policy based on peer's identity ’10.1.1.1’ of type 'FQDN'
Sep 16 00:19:48.296 UTC: IKEv2-ERROR:(SESSION ID = 54588636,SA ID = 50):: Failed to locate an item in the database
Sep 16 00:19:48.296 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Verification of peer's authentication data FAILED
Sep 16 00:19:48.296 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Sending authentication failure notify
Sep 16 00:19:48.296 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Building packet for encryption.

 

This issue could occur when the local-id-type is set to auto:
Scope FortiGate AWS, 7.0.6
Solution

To resolve this issue, set the local-id-type to address or whatever the remote peer is expecting from FortiGate:

 

# config vpn ipsec phase1-interface
     edit 1
       set localid-type address
       set localid 10.1.1.1
  end
Labels:
8215
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.