Created on
09-04-2024
10:11 PM
Edited on
11-25-2024
12:26 AM
By
Jean-Philippe_P
Description
This article describes the procedure to fix the issue of 'AUTHENTICATION_FAILED' messages on the IKE logs, even if the encryption domains match between both peers.
Scope
FortiGate.
Solution
Background.
By running the IKE debug logs:
diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 <Public IP of remote peer>
diagnose debug application ike -1
diagnose debug enable
Note:
Starting from FortiOS 7.4.1, the log filter commands have been changed to 'diagnose vpn ike log filter rem-addr4'.
It shows the following output of 'AUTHENTICATION_FAILED', even if the encryption domain is matching in both peers:
2024-08-27 14:54:33.965901 ike 0:VPN-to-OCI-2:263: sent IKE msg (AUTH): 10.10.12.210:4500->129.153.xx.xx:4500, len=264, vrf=0, id=c4e302d93cc54677/dd30e18bcbfc8116:00000001
2024-08-27 14:54:34.046187 ike 0: comes 129.153.xx.xx:4500->10.10.12.210:4500,ifindex=7,vrf=0....
2024-08-27 14:54:34.046210 ike 0: IKEv2 exchange=AUTH_RESPONSE id=c4e302d93cc54677/dd30e18bcbfc8116:00000001 len=88
2024-08-27 14:54:34.046220 ike 0: in C4E302D93CC54677DD30E18BCBFC81162E20232000000001000000582900003C3DBA505C53EE217EEE2D9C48250F23A3AAB08949C701C11AB2619B4546AF4FE7A2370508CBEC45B584E5BEDD2CA68DE7A26ED7AFBB9021E4
2024-08-27 14:54:34.046250 ike 0:VPN-to-OCI-2:263: dec C4E302D93CC54677DD30E18BCBFC81162E2023200000000100000028290000040000000800000018
2024-08-27 14:54:34.046260 ike 0:VPN-to-OCI-2:263: initiator received AUTH msg
2024-08-27 14:54:34.046267 ike 0:VPN-to-OCI-2:263: received notify type AUTHENTICATION_FAILED
2024-08-27 14:54:34.046275 ike 0:VPN-to-OCI-2:263: schedule delete of IKE SA c4e302d93cc54677/dd30e18bcbfc8116
2024-08-27 14:54:34.046283 ike 0:VPN-to-OCI-2:263: scheduled delete of IKE SA c4e302d93cc54677/dd30e18bcbfc8116
2024-08-27 14:54:34.046336 ike 0:VPN-to-OCI-2: connection expiring due to phase1 down
2024-08-27 14:54:34.046345 ike 0:VPN-to-OCI-2: deleting
2024-08-27 14:54:34.046356 ike 0:VPN-to-OCI-2: deleted
- On the OCI side, regarding the CPE configuration, it is recommended to configure a CPE IKE Identifier type as 'IP Address' with the FortiGate WAN IP as the value:
- In the Phase1 configuration, configure the localid with the FortiGate WAN IP and the localid-type as 'address':
config vpn ipsec phase1-interface
edit "VPN-to-OCI-2"
set interface "port1"
set ike-version 2
set keylife 28800
set peertype any
set net-device disable
set proposal aes256-sha384
set localid "181.79.xx.xx" <----- WAN IP of FortiGate.
set localid-type address
set dhgrp 14
set remote-gw 129.153.xx.xx
set psksecret ENC
next
end
- As a result, the IPSec VPN Tunnel is up and running.