Created on 09-26-2022 01:09 PM Edited on 05-31-2024 07:19 AM By Jean-Philippe_P
Description |
This article describes how to solve the 'AUTHENTICATION_FAILED' error while IPSec tunnel negotiation between FortiGate and Cisco.
In this example:
Site-to-Site IPSec VPN between FortiGate on AWS and Cisco using IKEv2 is not coming up. Debug on the FortiGate is showing 'AUTHENTICATION_FAILED'. Below is the debug output on the FortiGate:
2022-09-16 14:08:04.722079 ike 0:B1:49836: sent IKE msg (AUTH): 10.1.1.1:500->10.2.2.2:500, len=240, vrf=0, id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001 id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001 len=80 FA166E5F335244FA4A3B5F076AD120E2A3C5A16F324AA27C6A6A7BF52D604777FE2
Debug on the Cisco, the peer’s identity type can be seen as FQDN. Below is the debug output on the Cisco firewall:
Sep 16 00:19:48.293 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Received Packet [From 10.1.1.1:500/To 10.2.2.2:500/VRF i0:f5]
This issue could occur when the local-id-type is set to auto. |
Scope | FortiGate AWS, 7.0.6. |
Solution |
To resolve this issue, set the local-id-type to address or whatever the remote peer is expecting from FortiGate:
config vpn ipsec phase1-interface
Note: This applies to the other 3rd party vendors as well such as UniFi when using IKEv2 IPSec tunnel with FortiGate. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.