It is necessary to configure the following settings when the FortiGate is deployed in the Cloud. If it is the first, run IKE debugs and see the error:

diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log filter rem-addr4 [remote-peer]
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

To disable the debugs, run the following commands:

diagnose debug disable

diagnose debug reset

Note: 

If firmware older than v7.4.1 is being used, such as v7.2, v7.0, or v6.X: use the 'diagnose vpn ike log-filter dst-addr4'  command instead of 'diagnose vpn ike log filter rem-addr4'.

In v7.4.0, use the  'diagnose vpn ike log filter dst-addr4'.

If the following error is visible, it will appear as follows:

2024-03-12 18:07:06.761429 ike 0:Fortigate:370445: sent IKE msg (AUTH):

10.17.4.132:4500->103.9.225.1:4500, len=240, vrf=0, id=d877b92d9f8675a0/5929808be8170f37:0000
0001
2024-03-12 18:07:06.904098 ike 0: comes 103.9.225.1:4500->10.17.4.132:4500,ifindex=4,vrf=0....
2024-03-12 18:07:06.904935 ike 0: IKEv2 exchange=AUTH_RESPONSE

id=d877b92d9f8675a0/5929808be8170f37:00000001 len=80
2024-03-12 18:07:06.905366 ike 0: in D877B92D9F8675A05929808BE8170F372E202320000000010000005

02900003408DDB68445805F9546822E9AAED2872950F08084B196277203B901495E095CAC23
EC5D0A42427DD07D30432AE82911C1
2024-03-12 18:07:06.905898 ike 0:MPHASIS-EON: HA state master(2)
2024-03-12 18:07:06.906319 ike 0:MPHASIS-EON:370445: dec D877B92D9F8675A05929808BE8170F372E2023200000000100000028290000040000000800000018
2024-03-12 18:07:06.906950 ike 0:MPHASIS-EON:370445: initiator received AUTH msg <- The Remote side was acting as a responder, and the authentication message has been received.
2024-03-12 18:07:06.907296 ike 0:MPHASIS-EON:370445: received notify type AUTHENTICATION_FAILED

Make sure the pre-shared key matches on both sides. In the IKE version 2 error: 'received notify type AUTHENTICATION_FAILED' can be because of a pre-shared key mismatch between the 2 sites.

In Cloud platforms, other vendors/remote peers sometimes expect the local ID to be the FortiGate interface Public IP. It is necessary to configure the local ID and local ID type in the phase1-interface.

config vpn ipsec phase1-interface
    edit " tunnelname"
        set localid-type keyid
        set localid <(WAN-PUBLIC-IP>
end

For certain Meraki or Cisco firewalls, the IPsec VPN may not establish successfully until the 'localid' type is set to 'address'.

On Meraki, there are cases that need to set the remote ID  and the FortiGate WAN IP, and remove the set local ID on the FortiGate.

config vpn ipsec phase1-interface
    edit " tunnelname"
        set localid-type address
        set localid <(WAN-PUBLIC-IP>

If the remote side is another vendor and receiving the same error, and FortiGate is behind the NAT device, then configuring the remote-id on Sophos is shown below. The remote ID should be the private IP address of the FortiGate WAN interface.

In case the issue persists, other localid-types can be configured in FortiGate should the remote peer be expecting a different local ID type from FortiGate. Below are all possible localid-types that can be configured in FortiGate:

1. auto - Select ID type automatically.
2. fqdn - Fully Qualified Domain Name.
3. user-fqdn - User Fully Qualified Domain Name.
4. keyid - Key-ID string.
5. address - Local IP address.
6. asn1dn - ASN.1 distinguished name.

If a tunnel is configured between Oracle and FortiGate and an AUTHENTICATION_FAILED message is observed, set the peer ID in Oracle to the IP address of the FortiGate interface used to build the tunnel on it.

 

Related articles:

Technical Tip: IPsec tunnel is not coming up due to error massage AUTHENTICATION_FAILED 

Troubleshooting Tip: FortiGate sends 'local id' in FQDN type when negotiating an IPSec tunnel with C... 

Troubleshooting Tip: 'AUTHENTICATION_FAILED' messages in a VPN tunnel with VPN native service in Ora... 

Note: 

Ensure that when configuring 'local id' matching remote site configuration, which is 'remote id', especially when the device is behind NAT ( FortiGate on Cloud, for example), it is expected in non-working debug, FortiGate uses private IP on Cloud environment of ike information exchange, debug output below for example 

ike V=root:0: comes <remote IP>:4500->10.10.10.1:4500,ifindex=4,vrf=0,len=84....
ike V=root:0: IKEv2 exchange=AUTH_RESPONSE id=ea77523290e09d14/197863bc2b0307a0:00000001 len=80
ike 0: in EA77523290E09D14197863BC2B0307A02E2023200000000100000050290000343161A67C79FFCA0D7AE902B54354FF

1450E6B27869045662A2590
C42B9CEA7A88D7D27F4CF90D445D58FA6AC3D9BC498
ike 0:OFS:144316: dec EA77523290E09D14197863BC2B0307A02E2023200000000100000028290000040000000801000018
ike V=root:0:OFS:144316: initiator received AUTH msg
ike V=root:0:OFS:144316: received notify type AUTHENTICATION_FAILED
ike V=root:0: malformed responder cookie 02c0522ad55b1214/80397f169f189c03 from <Remote IP>:500->10.10.10.1 exchange-type Identity Protection, drop

Confusion might occur when the debug shows above, especially in the cloud environment, as public-facing ports normally use a private IP. Ensure the local ID configuration matches the remote site's remote IP; otherwise, the solution provided above might still not work as expected.