FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alwis
Staff
Staff
Article Id 209842
Description This article explains about IPSec site-to-site VPN between FortiGate and Sonicwall fails with error message 'ignoring unencrypted INVALID-COOKIE'.
Scope

 FortiGate, IPSec

Solution

Topology

<< Fortigate(Private IP on WAN interface) -> NAT Router(Azure) ->IPsec -> Sonicwall >>

 

IPsec VPN failed to be established when Sonicwall pointed to dynamic IP [i.e FortiDDNS]. Debug output on FortiGate shows, after the second message is received by the initiator 'ignoring unencrypted INVALID-COOKIE'  and retransmit.

 

Note:

Sonic wall will not properly recognize the NAT'ed IP.

 

To address this issue, on the Sonicwall side, add the Peer ID [IPV4 Address] to be FortiGate's private IP which is facing the NAT Router.