Fortigate 60F
Setting up a new IPsec VPN. Phase 1 matches but I am still getting a "AUTHENTICATION_FAILED" error.
Please. Any assistance would be great.
Here is my debug:
ike 0:VPN1: schedule auto-negotiate
ike 0:VPN1: auto-negotiate connection
ike 0:VPN1: created connection: 0x17fc6a00 5 152.x.x.x->174.x.x.x:500.
ike 0:VPN1:VPN1: chosen to populate IKE_SA traffic-selectors
ike 0:VPN1: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:VPN1:5538: out 96957CD2C74F75B60000000000000000212022080000000000000100220000300000002C010100040300000C0100000C800E0080030000080200000203000008030000020000000804000002280000880002000086A849256EF1101F60E86751929A4896EED0779F5F87BDF45945E20F4B30C518FED4175841908A76BC901152045CC7B57E820894EA827C9A6615D2C9991D80DA35DA82CF10A58217A3622CF13CB96EDA10B8B8F1355EE0ACEBB35599C40FD933BD32F16EB670B8F2946A971143AD63331C999EC38A6070C818F7CF35C2A2AEE329000024B9D125ECBEFCCDB03E7D6E5EB3AFFC1013E3D6BD26AD55C8EA46CFD41FD15508000000080000402E
ike 0:VPN1:5538: sent IKE msg (SA_INIT): 152.x.x.x:500->174.x.x.x:500, len=256, id=96957cd2c74f75b6/0000000000000000
ike 0: comes 174.x.x.x:500->152.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=96957cd2c74f75b6/34b5ee933ab5153b len=264
ike 0: in 96957CD2C74F75B634B5EE933AB5153B212022200000000000000108220000300000002C010100040300000C0100000C800E00800300000803000002030000080200000200000008040000022800008800020000DF21D4C142499A845FE871CFBF50437B26B4A083695FD02FF9BEFBBB69DEC5AD02581D3CC9C7DE3F6070C7169FD5703CC2BCC6A018CA3547E60A379BB131595936B32A328DB6CDB5CBD85DF7F0441867A85721E5AA26C56B1DE3BB77B73BE9816BC27AD207FF510B11F9B27A4A88733CCFD2DD571E73EE004BB4ED1441F85D5C29000024B1B18B86E6EF41229A4050AECA2F6FA2F44434B9FE2FB491D247D32F2198733A290000080000402E0000000800004014
ike 0:VPN1:5538: initiator received SA_INIT response
ike 0:VPN1:5538: processing notify type FRAGMENTATION_SUPPORTED
ike 0:VPN1:5538: processing notify type 16404
ike 0:VPN1:5538: incoming proposal:
ike 0:VPN1:5538: proposal id = 1:
ike 0:VPN1:5538: protocol = IKEv2:
ike 0:VPN1:5538: encapsulation = IKEv2/none
ike 0:VPN1:5538: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:VPN1:5538: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:VPN1:5538: type=PRF, val=PRF_HMAC_SHA
ike 0:VPN1:5538: type=DH_GROUP, val=MODP1024.
ike 0:VPN1:5538: matched proposal id 1
ike 0:VPN1:5538: proposal id = 1:
ike 0:VPN1:5538: protocol = IKEv2:
ike 0:VPN1:5538: encapsulation = IKEv2/none
ike 0:VPN1:5538: type=ENCR, val=AES_CBC (key_len = 128)
ike 0:VPN1:5538: type=INTEGR, val=AUTH_HMAC_SHA_96
ike 0:VPN1:5538: type=PRF, val=PRF_HMAC_SHA
ike 0:VPN1:5538: type=DH_GROUP, val=MODP1024.
ike 0:VPN1:5538: lifetime=3600
ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ei 16:9AEA2F224B7394D3F52F820307889B5B
ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_er 16:102C3213DC19358382E90460B6B98C62
ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ai 20:CFCD9115094B148B28ED6D47E0CCA2614D67B909
ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ar 20:D6AE88230C0F6BA56B580085702BEE0B629CE50F
ike 0:VPN1:5538: initiator preparing AUTH msg
ike 0:VPN1:5538: sending INITIAL-CONTACT
ike 0:VPN1:5538: mode-cfg request APPLICATION_VERSION
ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_ADDRESS
ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_NETMASK
ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_SUBNET
ike 0:VPN1:5538: enc 2900000C0100000098A017FB27000008000040002F00001C020000000BE1DE66DF20C061EF1B5FA115E8548F6519D4CB29000042010000000007002A466F727469476174652D3630462076362E302E362C6275696C64363431342C31393039303620284741290001000000020000000D00002100000800
040242C00002C0000002801030403C79FCA750300000C0100000C800E0080030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF09080706050403020109
ike 0:VPN1:5538: out 96957CD2C74F75B634B5EE933AB5153B2E202308000000010000011C230001006438D5E2D386FDB27E287167F8D2D291825CFAB5F42F0DFB9AE17DC2445FE3950C7B4B0E5F68A87AC26DFE0773E1E387C3806D04DB2F991A1D2E3825CE2C8B206B457FB365FE147F7D005AE8E776FA78E39646183B635BA3F2E4252CB903D47F6C08BDDEC9BFB0F3436E36486A9FE35516EC8070869BC86316580A386515D47D4A9594628AE0AED860BD673B0AD4566F5347605B9F2FE47E1DD47F0705DF9B1F527478BBC4A30660C4B936872AB418A686373090E0BCB809EE40DB511582D37374D07C8052689A76FC676269C2E245611F9E7D6F25C6D003921B99756FCB5C41270AEE0C8F5987936EF421F2564B9898FC488752E8ABD9B43E6BA04A
ike 0:VPN1:5538: sent IKE msg (AUTH): 152.x.x.x:500->174.x.x.x:500, len=284, id=96957cd2c74f75b6/34b5ee933ab5153b:00000001
ike 0: comes 174.x.x.x:500->152.x.x.x:500,ifindex=5....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=96957cd2c74f75b6/34b5ee933ab5153b:00000001 len=76
ike 0: in 96957CD2C74F75B634B5EE933AB5153B2E202320000000010000004C29000030E87C6A0641A3671D61EAB6D1A3B441DF06A4B69205085212C767F750599D579623A42D69603D68049E7ABB84
ike 0:VPN1:5538: dec 96957CD2C74F75B634B5EE933AB5153B2E2023200000000100000028290000040000000800000018
ike 0:VPN1:5538: initiator received AUTH msg
ike 0:VPN1:5538: received notify type AUTHENTICATION_FAILED
ike 0:VPN1:5538: schedule delete of IKE SA 96957cd2c74f75b6/34b5ee933ab5153b
ike 0:VPN1:5538: scheduled delete of IKE SA 96957cd2c74f75b6/34b5ee933ab5153b
ike 0:VPN1: connection expiring due to phase1 down
ike 0:VPN1: deleting
ike 0:VPN1: deleted
Setting up local iD on Fortigate and the Cisco side can also resolve this issue.
FortiGate sends 'local id' in FQD... - Fortinet Community
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.