FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to resolve the 'IKEv2: unexpected payload type 41' error seen in IKE debugs while troubleshooting a Dial-Up IPsec VPN with IKEv2.
Scope
FortiGate, FortiClient macOS.
Solution
When troubleshooting Dial Up IPsec VPN with IKEv2, below error is seen in IKE debugs:
ike V=root:0:IPsec-Home-W:17: responder received EAP msg ike V=root:0:IPsec-Home-W:17: unexpected payload type 41 ike V=root:0:IPsec-Home-W:17: schedule delete of IKE SA de9a206cc7d94ad0/957aa4c9698f726b ike V=root:0:IPsec-Home-W:17: scheduled delete of IKE SA de9a206cc7d94ad0/957aa4c9698f726b ike V=root:0:IPsec-Home-W: connection expiring due to phase1 down
Following IKE debugs can be run to troubleshoot the Dial Up IPSEC VPN issues:
diagnose vpn ike log-filter clear diagnose vpn ike log-filter dst-addr4 x.x.x.x <----- Replace x.x.x.x with Public IP of the Test user PC. diagnose debug application ike -1 diagnose debug console timestamp enable diagnose debug enable
To stop the debugs:
diagnose debug disable
diagnose debug reset
Note: Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.
This issue was reported with FortiClient macOS 14. To resolve this issue, check the preshared key on both sides (FortiGate and FortiClient) and make sure that they are the same.
