It is necessary to configure the following settings when the FortiGate is deployed in the Cloud. If it is the first, run IKE debugs and see the error:

diagnose vpn ike log-filter dst-addr4 [remote-peer]
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

Note: 

In v7.4.0, the  'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log-filter rem-addr4', and starting from FortiOS v7.4.1, the  'diagnose vpn ike log-filter rem-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

If the following error is visible, it will appear as follows:

2024-03-12 18:07:06.761429 ike 0:Fortigate:370445: sent IKE msg (AUTH): 10.17.4.132:4500->103.9.225.1:4500, len=240, vrf=0, id=d877b92d9f8675a0/5929808be8170f37:0000
0001
2024-03-12 18:07:06.904098 ike 0: comes 103.9.225.1:4500->10.17.4.132:4500,ifindex=4,vrf=0....
2024-03-12 18:07:06.904935 ike 0: IKEv2 exchange=AUTH_RESPONSE id=d877b92d9f8675a0/5929808be8170f37:00000001 len=80
2024-03-12 18:07:06.905366 ike 0: in D877B92D9F8675A05929808BE8170F372E20232000000001000000502900003408DDB68445805F9546822E9AAED2872950F08084B196277203B901495E095CAC23
EC5D0A42427DD07D30432AE82911C1
2024-03-12 18:07:06.905898 ike 0:MPHASIS-EON: HA state master(2)
2024-03-12 18:07:06.906319 ike 0:MPHASIS-EON:370445: dec D877B92D9F8675A05929808BE8170F372E2023200000000100000028290000040000000800000018
2024-03-12 18:07:06.906950 ike 0:MPHASIS-EON:370445: initiator received AUTH msg <- The Remote side was acting as a responder and the authentication message has been received.
2024-03-12 18:07:06.907296 ike 0:MPHASIS-EON:370445: received notify type AUTHENTICATION_FAILED

Make sure the pre-shared key is matching on both sides. In the IKE version 2 error:  received notify type AUTHENTICATION_FAILED can be because of a pre-shared key mismatch between 2 sites.

In Cloud platforms, other vendors/remote peers sometimes expect the local ID to be the FortiGate interface Public IP. It is necessary to configure the local ID and local ID type in the phase1-interface.

config vpn ipsec phase1-interface
    edit " tunnelname"
        set localid-type keyid
        set localid <(WAN-PUBLIC-IP>
end

For certain Meraki or Cisco firewalls, the IPsec VPN may not establish successfully until the 'localid' type is set to 'address'.

config vpn ipsec phase1-interface
    edit " tunnelname"
        set localid-type address
        set localid <(WAN-PUBLIC-IP>

If the remote side is another vendor and receiving the same error and FortiGate is behind the NAT device, then configuring the remote-id on Sophos is shown below. The remote ID should be the private IP address of the FortiGate WAN interface.

In case the issue still persists, other localid-types can be configured in FortiGate should the remote peer be expecting a different local ID type from FortiGate. Below are all possible localid-types that can be configured in FortiGate:

1. auto - Select ID type automatically.
2. fqdn - Fully Qualified Domain Name.
3. user-fqdn - User Fully Qualified Domain Name.
4. keyid - Key-ID string.
5. address - Local IP address.
6. asn1dn - ASN.1 distinguished name.

Related articles:

Technical Tip: IPsec tunnel is not coming up due to error massage AUTHENTICATION_FAILED 

Troubleshooting Tip: FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with C...