Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ChrisChivers
New Contributor

IPsec VPN Authentication Failed

Fortigate 60F

 

Setting up a new IPsec VPN. Phase 1 matches but I am still getting a "AUTHENTICATION_FAILED" error. 

 

Please. Any assistance would be great. 

 

Here is my debug:

ike 0:VPN1: schedule auto-negotiate

ike 0:VPN1: auto-negotiate connection

ike 0:VPN1: created connection: 0x17fc6a00 5 152.x.x.x->174.x.x.x:500.

ike 0:VPN1:VPN1: chosen to populate IKE_SA traffic-selectors

ike 0:VPN1: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation

ike 0:VPN1:5538: out 96957CD2C74F75B60000000000000000212022080000000000000100220000300000002C010100040300000C0100000C800E0080030000080200000203000008030000020000000804000002280000880002000086A849256EF1101F60E86751929A4896EED0779F5F87BDF45945E20F4B30C518FED4175841908A76BC901152045CC7B57E820894EA827C9A6615D2C9991D80DA35DA82CF10A58217A3622CF13CB96EDA10B8B8F1355EE0ACEBB35599C40FD933BD32F16EB670B8F2946A971143AD63331C999EC38A6070C818F7CF35C2A2AEE329000024B9D125ECBEFCCDB03E7D6E5EB3AFFC1013E3D6BD26AD55C8EA46CFD41FD15508000000080000402E

ike 0:VPN1:5538: sent IKE msg (SA_INIT): 152.x.x.x:500->174.x.x.x:500, len=256, id=96957cd2c74f75b6/0000000000000000

ike 0: comes 174.x.x.x:500->152.x.x.x:500,ifindex=5....

ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=96957cd2c74f75b6/34b5ee933ab5153b len=264

ike 0: in 96957CD2C74F75B634B5EE933AB5153B212022200000000000000108220000300000002C010100040300000C0100000C800E00800300000803000002030000080200000200000008040000022800008800020000DF21D4C142499A845FE871CFBF50437B26B4A083695FD02FF9BEFBBB69DEC5AD02581D3CC9C7DE3F6070C7169FD5703CC2BCC6A018CA3547E60A379BB131595936B32A328DB6CDB5CBD85DF7F0441867A85721E5AA26C56B1DE3BB77B73BE9816BC27AD207FF510B11F9B27A4A88733CCFD2DD571E73EE004BB4ED1441F85D5C29000024B1B18B86E6EF41229A4050AECA2F6FA2F44434B9FE2FB491D247D32F2198733A290000080000402E0000000800004014

ike 0:VPN1:5538: initiator received SA_INIT response

ike 0:VPN1:5538: processing notify type FRAGMENTATION_SUPPORTED

ike 0:VPN1:5538: processing notify type 16404

ike 0:VPN1:5538: incoming proposal:

ike 0:VPN1:5538: proposal id = 1:

ike 0:VPN1:5538:   protocol = IKEv2:

ike 0:VPN1:5538:      encapsulation = IKEv2/none

ike 0:VPN1:5538:         type=ENCR, val=AES_CBC (key_len = 128)

ike 0:VPN1:5538:         type=INTEGR, val=AUTH_HMAC_SHA_96

ike 0:VPN1:5538:         type=PRF, val=PRF_HMAC_SHA

ike 0:VPN1:5538:         type=DH_GROUP, val=MODP1024.

ike 0:VPN1:5538: matched proposal id 1

ike 0:VPN1:5538: proposal id = 1:

ike 0:VPN1:5538:   protocol = IKEv2:

ike 0:VPN1:5538:      encapsulation = IKEv2/none

ike 0:VPN1:5538:         type=ENCR, val=AES_CBC (key_len = 128)

ike 0:VPN1:5538:         type=INTEGR, val=AUTH_HMAC_SHA_96

ike 0:VPN1:5538:         type=PRF, val=PRF_HMAC_SHA

ike 0:VPN1:5538:         type=DH_GROUP, val=MODP1024.

ike 0:VPN1:5538: lifetime=3600

ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ei 16:9AEA2F224B7394D3F52F820307889B5B

ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_er 16:102C3213DC19358382E90460B6B98C62

ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ai 20:CFCD9115094B148B28ED6D47E0CCA2614D67B909

ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ar 20:D6AE88230C0F6BA56B580085702BEE0B629CE50F

ike 0:VPN1:5538: initiator preparing AUTH msg

ike 0:VPN1:5538: sending INITIAL-CONTACT

ike 0:VPN1:5538: mode-cfg request APPLICATION_VERSION

ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_ADDRESS

ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_NETMASK

ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_SUBNET

ike 0:VPN1:5538: enc 2900000C0100000098A017FB27000008000040002F00001C020000000BE1DE66DF20C061EF1B5FA115E8548F6519D4CB29000042010000000007002A466F727469476174652D3630462076362E302E362C6275696C64363431342C31393039303620284741290001000000020000000D00002100000800

040242C00002C0000002801030403C79FCA750300000C0100000C800E0080030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF09080706050403020109

ike 0:VPN1:5538: out 96957CD2C74F75B634B5EE933AB5153B2E202308000000010000011C230001006438D5E2D386FDB27E287167F8D2D291825CFAB5F42F0DFB9AE17DC2445FE3950C7B4B0E5F68A87AC26DFE0773E1E387C3806D04DB2F991A1D2E3825CE2C8B206B457FB365FE147F7D005AE8E776FA78E39646183B635BA3F2E4252CB903D47F6C08BDDEC9BFB0F3436E36486A9FE35516EC8070869BC86316580A386515D47D4A9594628AE0AED860BD673B0AD4566F5347605B9F2FE47E1DD47F0705DF9B1F527478BBC4A30660C4B936872AB418A686373090E0BCB809EE40DB511582D37374D07C8052689A76FC676269C2E245611F9E7D6F25C6D003921B99756FCB5C41270AEE0C8F5987936EF421F2564B9898FC488752E8ABD9B43E6BA04A

ike 0:VPN1:5538: sent IKE msg (AUTH): 152.x.x.x:500->174.x.x.x:500, len=284, id=96957cd2c74f75b6/34b5ee933ab5153b:00000001

ike 0: comes 174.x.x.x:500->152.x.x.x:500,ifindex=5....

ike 0: IKEv2 exchange=AUTH_RESPONSE id=96957cd2c74f75b6/34b5ee933ab5153b:00000001 len=76

ike 0: in 96957CD2C74F75B634B5EE933AB5153B2E202320000000010000004C29000030E87C6A0641A3671D61EAB6D1A3B441DF06A4B69205085212C767F750599D579623A42D69603D68049E7ABB84

ike 0:VPN1:5538: dec 96957CD2C74F75B634B5EE933AB5153B2E2023200000000100000028290000040000000800000018

ike 0:VPN1:5538: initiator received AUTH msg

ike 0:VPN1:5538: received notify type AUTHENTICATION_FAILED

ike 0:VPN1:5538: schedule delete of IKE SA 96957cd2c74f75b6/34b5ee933ab5153b

ike 0:VPN1:5538: scheduled delete of IKE SA 96957cd2c74f75b6/34b5ee933ab5153b

ike 0:VPN1: connection expiring due to phase1 down

ike 0:VPN1: deleting

ike 0:VPN1: deleted

9 REPLIES 9
Toshi_Esumi
Esteemed Contributor III

So you're trying to set up Dialup VPN from FortiClient 6.4 with IKEv2? AUTH_FAILED with AUTH response generally means the other end didn't see the received PSK was matching.

ChrisChivers

Not dial up. Point to Point. Fortigate to my cloud server. 

 

We did discover the issue, although we still do not understand the why. The previous VPN we used to mirror the servers to our cloud servers was conflicting with the new VPN. They shouldn't have, but they did. 

emnoc
Esteemed Contributor III

The mode-cfg is throwing things off but this looks like PSK mismatch for IKEv2 and the IKE daemon is reporting this in AUTH_FAIL. Have you triple check the PSK? Your secret is wrong or corrupted.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sw2090
Honored Contributor

if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

huh! Apology for spamming the thread :\

The forum was somehow stuck and I clicked the save button a few times sinice nothing happened.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
sw2090
Honored Contributor

if you have more than one s2s ipsec that has the same remote gw and connects to the same wan you might have to make sure that they have unique proposals or a peerid set because otherwayse the FGT will take the first one that matches remote gw plus proposals.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors