It is necessary to configure the following settings when the FortiGate is deployed in the Cloud. If it is the first, run IKE debugs and see the error:

diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log filter rem-addr4 [remote-peer]
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

Note: 

If firmware older than v7.4.1 is being used, such as v7.2, v7.0, or v6.X: use the 'diagnose vpn ike log-filter dst-addr4'  command instead of 'diagnose vpn ike log filter rem-addr4'.

In v7.4.0, use the  'diagnose vpn ike log filter dst-addr4'.

If the following error is visible, it will appear as follows:

2024-03-12 18:07:06.761429 ike 0:Fortigate:370445: sent IKE msg (AUTH): 10.17.4.132:4500->103.9.225.1:4500, len=240, vrf=0, id=d877b92d9f8675a0/5929808be8170f37:0000
0001
2024-03-12 18:07:06.904098 ike 0: comes 103.9.225.1:4500->10.17.4.132:4500,ifindex=4,vrf=0....
2024-03-12 18:07:06.904935 ike 0: IKEv2 exchange=AUTH_RESPONSE id=d877b92d9f8675a0/5929808be8170f37:00000001 len=80
2024-03-12 18:07:06.905366 ike 0: in D877B92D9F8675A05929808BE8170F372E202320000000010000005

02900003408DDB68445805F9546822E9AAED2872950F08084B196277203B901495E095CAC23
EC5D0A42427DD07D30432AE82911C1
2024-03-12 18:07:06.905898 ike 0:MPHASIS-EON: HA state master(2)
2024-03-12 18:07:06.906319 ike 0:MPHASIS-EON:370445: dec D877B92D9F8675A05929808BE8170F372E2023200000000100000028290000040000000800000018
2024-03-12 18:07:06.906950 ike 0:MPHASIS-EON:370445: initiator received AUTH msg <- The Remote side was acting as a responder and the authentication message has been received.
2024-03-12 18:07:06.907296 ike 0:MPHASIS-EON:370445: received notify type AUTHENTICATION_FAILED

Make sure the pre-shared key is matching on both sides. In the IKE version 2 error:  received notify type AUTHENTICATION_FAILED can be because of a pre-shared key mismatch between 2 sites.

In Cloud platforms, other vendors/remote peers sometimes expect the local ID to be the FortiGate interface Public IP. It is necessary to configure the local ID and local ID type in the phase1-interface.

config vpn ipsec phase1-interface
    edit " tunnelname"
        set localid-type keyid
        set localid <(WAN-PUBLIC-IP>
end

For certain Meraki or Cisco firewalls, the IPsec VPN may not establish successfully until the 'localid' type is set to 'address'.

On Meraki, there are cases that need to set the remote ID  and the FortiGate WAN IP and remove the set local ID on the FortiGate.

config vpn ipsec phase1-interface
    edit " tunnelname"
        set localid-type address
        set localid <(WAN-PUBLIC-IP>

If the remote side is another vendor and receiving the same error and FortiGate is behind the NAT device, then configuring the remote-id on Sophos is shown below. The remote ID should be the private IP address of the FortiGate WAN interface.

In case the issue persists, other localid-types can be configured in FortiGate should the remote peer be expecting a different local ID type from FortiGate. Below are all possible localid-types that can be configured in FortiGate:

1. auto - Select ID type automatically.
2. fqdn - Fully Qualified Domain Name.
3. user-fqdn - User Fully Qualified Domain Name.
4. keyid - Key-ID string.
5. address - Local IP address.
6. asn1dn - ASN.1 distinguished name.

If a tunnel is configured between Oracle and FortiGate and an AUTHENTICATION_FAILED message is observed, set the peer ID in Oracle to the IP address of the FortiGate interface used for to build tunnel on it.

 

Related articles:

• Technical Tip: IPsec tunnel is not coming up due to error massage AUTHENTICATION_FAILED 
• Troubleshooting Tip: FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with C...