The following log messages were observed on the FortiSASE side during tunnel negotiation:

2025-08-25 10:35:04.398939 ike V=root:0:SDWAN OnRamp 01:102875: responder received AUTH msg
2025-08-25 10:35:04.399009 ike V=root:0:SDWAN OnRamp 01:102875: processing notify type INITIAL_CONTACT
2025-08-25 10:35:04.399148 ike V=root:0:SDWAN OnRamp 01:102875: peer identifier IPV4_ADDR 192.168.252.3
2025-08-25 10:35:04.399228 ike V=root:0:SDWAN OnRamp 01:102875: re-validate gw ID
2025-08-25 10:35:04.399306 ike V=root:0:SDWAN OnRamp 01:102875: gw validation OK
2025-08-25 10:35:04.399374 ike V=root:0:SDWAN OnRamp 01:102875: received peer certreq '0000000000491E00000000000000000000000000'
2025-08-25 10:35:04.399515 ike V=root:0:SDWAN OnRamp 01:102875: auth verify done
2025-08-25 10:35:04.399627 ike V=root:0:SDWAN OnRamp 01:102875: responder AUTH continuation
2025-08-25 10:35:04.399695 ike V=root:0:SDWAN OnRamp 01:102875: authentication failed
2025-08-25 10:35:04.399762 ike V=root:0:SDWAN OnRamp 01:102875: PSK auth failed: probable pre-shared key mismatch

Although the pre-shared key was correct on both sides, an authentication error occurred, and the Aruba device was sending a certificate request even though the authentication method was configured as pre-shared key. In this case, the Aruba team modified specific transform fields to be compatible. After applying the changes, the IKE SA successfully established, and the tunnel came up.

Troubleshooting Checks:

1. Verify that both sides are using the same PSK.

2. Ensure IKE and IPsec proposals match FortiSASE requirements (encryption, integrity, DH group, lifetime).

3. If logs show PSK AUTH Failed, despite a correct key, review the transform negotiation from the peer device.

4. Adjust Aruba Gateway’s IKE/IPsec transform fields accordingly.