FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff
Description

This article describes how to solve the 'AUTHENTICATION_FAILED' error while IPSec tunnel negotiation between FortiGate and Cisco.

 

In this example:

- 10.1.1.1 is an IP on FortiGate.

- 10.2.2.2 is an IP on Cisco ASA.

 

Site to Site IPSec VPN between FortiGate on AWS and Cisco using IKEv2 is not coming up. Debug on the FortiGate is showing 'AUTHENTICATION_FAILED'.

Below is the debug output on the FortiGate:  

 

2022-09-16 14:08:04.722079 ike 0:B1:49836: sent IKE msg (AUTH): 10.1.1.1:500->10.2.2.2:500, len=240, vrf=0, id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001
2022-09-16 14:08:04.747045 ike 0: comes 10.2.2.2:500->10.1.1.1:500,ifindex=3,vrf=0....
2022-09-16 14:08:04.747059 ike 0: IKEv2 exchange=AUTH_RESPONSE id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001 len=80
2022-09-16 14:08:04.747072 ike 0: in 93CF8DED66F1BB7CE34F9641E22C3CE32E20232000000001000000502900003436FE4BDB3A3D8A55A6F939B558473FA166E5F335244FA4A3B5F076AD120E2A3C5A
16F324AA27C6A6A7BF52D604777FE2
2022-09-16 14:08:04.747083 ike 0:B1:49836: dec 93CF8DED66F1BB7CE34F9641E22C3CE32E2023200000000100000028290000040000000800000018
2022-09-16 14:08:04.747095 ike 0:B1:49836: initiator received AUTH msg
2022-09-16 14:08:04.747101 ike 0:B1:49836: received notify type AUTHENTICATION_FAILED

 

Debug on the Cisco, the peer’s identity type can be seen as FQDN. Below is the debug output on the Cisco firewall:

 

Sep 16 00:19:48.293 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Received Packet [From 10.1.1.1:500/To 10.2.2.2:500/VRF i0:f5]
Initiator SPI : B00BFE07C3FF2CE0 - Responder SPI : A021B9EFEC57B189 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi NOTIFY(INITIAL_CONTACT) AUTH NOTIFY(Unknown - 16420) SA TSi TSr

Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Stopping timer to wait for auth message
Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Checking NAT discovery
Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):NAT not found
Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Searching policy based on peer's identity ’10.1.1.1’ of type 'FQDN'
Sep 16 00:19:48.296 UTC: IKEv2-ERROR:(SESSION ID = 54588636,SA ID = 50):: Failed to locate an item in the database
Sep 16 00:19:48.296 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Verification of peer's authentication data FAILED
Sep 16 00:19:48.296 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Sending authentication failure notify
Sep 16 00:19:48.296 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Building packet for encryption.

 

This issue could occur when the local-id-type is set to auto:

Scope FortiGate AWS, 7.0.6
Solution

To resolve this issue, set the local-id-type to address or whatever the remote peer is expecting from FortiGate:

 

# config vpn ipsec phase1-interface
     edit 1
       set localid-type address
       set localid 10.1.1.1
  end

Contributors