FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kcheng
Staff
Staff
Article Id 244740
Description This article describes how to troubleshoot IPSec error: 22: Invalid argument.
Scope FortiGate
Solution

1) IPSec Tunnel is configured between FG-A and FG-B with the following Phase2 selector setting:

 

FG-A:

[IPSec_local]

IPSec_local_subnet_1: 10.251.0.0/20

IPSec_local_subnet_2: 10.251.0.0/24

[IPSec_remote]

IPSec_remote_subnet_1: 10.120.0.0/20

 

FG-B:

[IPSec_local]

IPSec_local_subnet_1: 10.120.0.0/20

[IPSec_remote]

IPSec_remote_subnet_1: 10.251.0.0/20

IPSec_remote_subnet_2: 10.251.0.0/24

 

2) IPSec phase2 is not coming up with the respective configuration if the IPSec tunnel is brought up from FG-B.

Further, inspection is done by looking into IPSec debug log with the following command:

 

# diag vpn ike log-filter dst-addr4 <remote_IP>

# diag deb app ike -1

# diag deb en

 

3) From the debug log, it is possible to see that FG-A failed to add SA with error 22: Invalid argument:

 

kcheng_0-1675415361358.png

 

It was also observed from FG-A that SA_DONE operation failed with error 2: No such file or directory:

 

kcheng_1-1675415361360.png

 

4) The tunnel can be established should the FG-A become the initiator:

 

FG-A:

 

kcheng_2-1675415361363.png

 

FG-B:

 

kcheng_3-1675415361367.png

 

5) This happens due to the overlapping IP address subnet configured on FG-A.

Removing 10.251.0.0/24 from the address group on both FortiGate would prevent the IPSec tunnel issue regardless if FG-A or FG-B becomes the initiator.

Contributors