Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
arcabah
Staff
Staff

Created on ‎09-04-2024 10:11 PM Edited on ‎09-04-2024 10:11 PM By Community Manager

Article Id 339174

Troubleshooting Tip: How to resolve 'AUTHENTICATION_FAILED' messages in a VPN tunnel between the VPN native service in Oracle OCI with FortiGate

Description

 

This article describes the procedure to fix the issue of 'AUTHENTICATION_FAILED' messages on the IKE logs, even if the encryption domains match between both peers

 

Scope

 

FortiGate.

 

Solution

 

Background

 

By running the IKE debug logs:

 

diagnose debug reset
diagnose debug console timestamp enable
diagnose vpn ike log-filter dst-addr4 <Public IP of remote peer>
diagnose debug application ike -1
diagnose debug enable

 

It shows the following output of 'AUTHENTICATION_FAILED', even if the encryption domain is matching in both peers:

 

2024-08-27 14:54:33.965901 ike 0:VPN-to-OCI-2:263: sent IKE msg (AUTH): 10.10.12.210:4500->129.153.xx.xx:4500, len=264, vrf=0, id=c4e302d93cc54677/dd30e18bcbfc8116:00000001
2024-08-27 14:54:34.046187 ike 0: comes 129.153.xx.xx:4500->10.10.12.210:4500,ifindex=7,vrf=0....
2024-08-27 14:54:34.046210 ike 0: IKEv2 exchange=AUTH_RESPONSE id=c4e302d93cc54677/dd30e18bcbfc8116:00000001 len=88
2024-08-27 14:54:34.046220 ike 0: in C4E302D93CC54677DD30E18BCBFC81162E20232000000001000000582900003C3DBA505C53EE217EEE2D9C48250F23A3AAB08949C701C11AB2619B4546AF4FE7A2370508CBEC45B584E5BEDD2CA68DE7A26ED7AFBB9021E4
2024-08-27 14:54:34.046250 ike 0:VPN-to-OCI-2:263: dec C4E302D93CC54677DD30E18BCBFC81162E2023200000000100000028290000040000000800000018
2024-08-27 14:54:34.046260 ike 0:VPN-to-OCI-2:263: initiator received AUTH msg
2024-08-27 14:54:34.046267 ike 0:VPN-to-OCI-2:263: received notify type AUTHENTICATION_FAILED
2024-08-27 14:54:34.046275 ike 0:VPN-to-OCI-2:263: schedule delete of IKE SA c4e302d93cc54677/dd30e18bcbfc8116
2024-08-27 14:54:34.046283 ike 0:VPN-to-OCI-2:263: scheduled delete of IKE SA c4e302d93cc54677/dd30e18bcbfc8116
2024-08-27 14:54:34.046336 ike 0:VPN-to-OCI-2: connection expiring due to phase1 down
2024-08-27 14:54:34.046345 ike 0:VPN-to-OCI-2: deleting
2024-08-27 14:54:34.046356 ike 0:VPN-to-OCI-2: deleted

 

  1. On the OCI side, regarding the CPE configuration, it is recommended to configure a CPE IKE Identifier type as 'IP Address' with the FortiGate WAN IP as the value:

 

imagen-oci-001.png

 

  1. In the Phase1 configuration, configure the localid with the FortiGate WAN IP and the localid-type as 'address':

 

config vpn ipsec phase1-interface
    edit "VPN-to-OCI-2"
        set interface "port1"
        set ike-version 2
        set keylife 28800
        set peertype any
        set net-device disable
        set proposal aes256-sha384
        set localid "181.79.xx.xx" <----- WAN IP of FortiGate.
        set localid-type address
        set dhgrp 14
        set remote-gw 129.153.xx.xx
        set psksecret ENC
    next
end

 

  1. As a result, the IPSec VPN Tunnel is up and running.
385
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.