IPsec VPN Authentication Failed

ChrisChivers · ‎11-02-2020

Fortigate 60F

Setting up a new IPsec VPN. Phase 1 matches but I am still getting a "AUTHENTICATION_FAILED" error.

Please. Any assistance would be great.

Here is my debug:

ike 0:VPN1: schedule auto-negotiate

ike 0:VPN1: auto-negotiate connection

ike 0:VPN1: created connection: 0x17fc6a00 5 152.x.x.x->174.x.x.x:500.

ike 0:VPN1:VPN1: chosen to populate IKE_SA traffic-selectors

ike 0:VPN1: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation

ike 0:VPN1:5538: out 96957CD2C74F75B60000000000000000212022080000000000000100220000300000002C010100040300000C0100000C800E0080030000080200000203000008030000020000000804000002280000880002000086A849256EF1101F60E86751929A4896EED0779F5F87BDF45945E20F4B30C518FED4175841908A76BC901152045CC7B57E820894EA827C9A6615D2C9991D80DA35DA82CF10A58217A3622CF13CB96EDA10B8B8F1355EE0ACEBB35599C40FD933BD32F16EB670B8F2946A971143AD63331C999EC38A6070C818F7CF35C2A2AEE329000024B9D125ECBEFCCDB03E7D6E5EB3AFFC1013E3D6BD26AD55C8EA46CFD41FD15508000000080000402E

ike 0:VPN1:5538: sent IKE msg (SA_INIT): 152.x.x.x:500->174.x.x.x:500, len=256, id=96957cd2c74f75b6/0000000000000000

ike 0: comes 174.x.x.x:500->152.x.x.x:500,ifindex=5....

ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=96957cd2c74f75b6/34b5ee933ab5153b len=264

ike 0: in 96957CD2C74F75B634B5EE933AB5153B212022200000000000000108220000300000002C010100040300000C0100000C800E00800300000803000002030000080200000200000008040000022800008800020000DF21D4C142499A845FE871CFBF50437B26B4A083695FD02FF9BEFBBB69DEC5AD02581D3CC9C7DE3F6070C7169FD5703CC2BCC6A018CA3547E60A379BB131595936B32A328DB6CDB5CBD85DF7F0441867A85721E5AA26C56B1DE3BB77B73BE9816BC27AD207FF510B11F9B27A4A88733CCFD2DD571E73EE004BB4ED1441F85D5C29000024B1B18B86E6EF41229A4050AECA2F6FA2F44434B9FE2FB491D247D32F2198733A290000080000402E0000000800004014

ike 0:VPN1:5538: initiator received SA_INIT response

ike 0:VPN1:5538: processing notify type FRAGMENTATION_SUPPORTED

ike 0:VPN1:5538: processing notify type 16404

ike 0:VPN1:5538: incoming proposal:

ike 0:VPN1:5538: proposal id = 1:

ike 0:VPN1:5538: protocol = IKEv2:

ike 0:VPN1:5538: encapsulation = IKEv2/none

ike 0:VPN1:5538: type=ENCR, val=AES_CBC (key_len = 128)

ike 0:VPN1:5538: type=INTEGR, val=AUTH_HMAC_SHA_96

ike 0:VPN1:5538: type=PRF, val=PRF_HMAC_SHA

ike 0:VPN1:5538: type=DH_GROUP, val=MODP1024.

ike 0:VPN1:5538: matched proposal id 1

ike 0:VPN1:5538: proposal id = 1:

ike 0:VPN1:5538: protocol = IKEv2:

ike 0:VPN1:5538: encapsulation = IKEv2/none

ike 0:VPN1:5538: type=ENCR, val=AES_CBC (key_len = 128)

ike 0:VPN1:5538: type=INTEGR, val=AUTH_HMAC_SHA_96

ike 0:VPN1:5538: type=PRF, val=PRF_HMAC_SHA

ike 0:VPN1:5538: type=DH_GROUP, val=MODP1024.

ike 0:VPN1:5538: lifetime=3600

ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ei 16:9AEA2F224B7394D3F52F820307889B5B

ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_er 16:102C3213DC19358382E90460B6B98C62

ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ai 20:CFCD9115094B148B28ED6D47E0CCA2614D67B909

ike 0:VPN1:5538: IKE SA 96957cd2c74f75b6/34b5ee933ab5153b SK_ar 20:D6AE88230C0F6BA56B580085702BEE0B629CE50F

ike 0:VPN1:5538: initiator preparing AUTH msg

ike 0:VPN1:5538: sending INITIAL-CONTACT

ike 0:VPN1:5538: mode-cfg request APPLICATION_VERSION

ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_ADDRESS

ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_NETMASK

ike 0:VPN1:5538: mode-cfg request INTERNAL_IP4_SUBNET

ike 0:VPN1:5538: enc 2900000C0100000098A017FB27000008000040002F00001C020000000BE1DE66DF20C061EF1B5FA115E8548F6519D4CB29000042010000000007002A466F727469476174652D3630462076362E302E362C6275696C64363431342C31393039303620284741290001000000020000000D00002100000800

040242C00002C0000002801030403C79FCA750300000C0100000C800E0080030000080300000200000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF09080706050403020109

ike 0:VPN1:5538: out 96957CD2C74F75B634B5EE933AB5153B2E202308000000010000011C230001006438D5E2D386FDB27E287167F8D2D291825CFAB5F42F0DFB9AE17DC2445FE3950C7B4B0E5F68A87AC26DFE0773E1E387C3806D04DB2F991A1D2E3825CE2C8B206B457FB365FE147F7D005AE8E776FA78E39646183B635BA3F2E4252CB903D47F6C08BDDEC9BFB0F3436E36486A9FE35516EC8070869BC86316580A386515D47D4A9594628AE0AED860BD673B0AD4566F5347605B9F2FE47E1DD47F0705DF9B1F527478BBC4A30660C4B936872AB418A686373090E0BCB809EE40DB511582D37374D07C8052689A76FC676269C2E245611F9E7D6F25C6D003921B99756FCB5C41270AEE0C8F5987936EF421F2564B9898FC488752E8ABD9B43E6BA04A

ike 0:VPN1:5538: sent IKE msg (AUTH): 152.x.x.x:500->174.x.x.x:500, len=284, id=96957cd2c74f75b6/34b5ee933ab5153b:00000001

ike 0: comes 174.x.x.x:500->152.x.x.x:500,ifindex=5....

ike 0: IKEv2 exchange=AUTH_RESPONSE id=96957cd2c74f75b6/34b5ee933ab5153b:00000001 len=76

ike 0: in 96957CD2C74F75B634B5EE933AB5153B2E202320000000010000004C29000030E87C6A0641A3671D61EAB6D1A3B441DF06A4B69205085212C767F750599D579623A42D69603D68049E7ABB84

ike 0:VPN1:5538: dec 96957CD2C74F75B634B5EE933AB5153B2E2023200000000100000028290000040000000800000018

ike 0:VPN1:5538: initiator received AUTH msg

ike 0:VPN1:5538: received notify type AUTHENTICATION_FAILED

ike 0:VPN1:5538: schedule delete of IKE SA 96957cd2c74f75b6/34b5ee933ab5153b

ike 0:VPN1:5538: scheduled delete of IKE SA 96957cd2c74f75b6/34b5ee933ab5153b

ike 0:VPN1: connection expiring due to phase1 down

ike 0:VPN1: deleting

ike 0:VPN1: deleted

gagandeeps · ‎08-27-2024

Setting up local iD on Fortigate and the Cisco side can also resolve this issue.

FortiGate sends 'local id' in FQD... - Fortinet Community

IPsec VPN Authentication Failed

Nominate a Forum Post for Knowledge Article Creation