| Description | This article describes how to troubleshoot IPSec error: 22: Invalid argument. |
| Scope | FortiGate |
| Solution |
1) IPSec Tunnel is configured between FG-A and FG-B with the following Phase2 selector setting:
FG-A: [IPSec_local] IPSec_local_subnet_1: 10.251.0.0/20 IPSec_local_subnet_2: 10.251.0.0/24 [IPSec_remote] IPSec_remote_subnet_1: 10.120.0.0/20
FG-B: [IPSec_local] IPSec_local_subnet_1: 10.120.0.0/20 [IPSec_remote] IPSec_remote_subnet_1: 10.251.0.0/20 IPSec_remote_subnet_2: 10.251.0.0/24
2) IPSec phase2 is not coming up with the respective configuration if the IPSec tunnel is brought up from FG-B. Further, inspection is done by looking into IPSec debug log with the following command:
# diag vpn ike log-filter dst-addr4 <remote_IP> # diag deb app ike -1 # diag deb en
3) From the debug log, it is possible to see that FG-A failed to add SA with error 22: Invalid argument:
It was also observed from FG-A that SA_DONE operation failed with error 2: No such file or directory:
4) The tunnel can be established should the FG-A become the initiator:
FG-A:
FG-B:
5) This happens due to the overlapping IP address subnet configured on FG-A. Removing 10.251.0.0/24 from the address group on both FortiGate would prevent the IPSec tunnel issue regardless if FG-A or FG-B becomes the initiator. |
