We recently converted from a Firepower to a FortiGate, and we have a problematic tunnel we just can't figure out what to do. The debug shows authentication is failing, but we've both confirmed and re-entered the PSK. We're also seeing the remote peer using 172.24.x.x as it's peer ID just before the authentication failure. They are using a Cisco ASR router and refuse to change their peer ID, although they did admit they have problems with both FortiGate and Palo firewalls. I've searched through numerous Fortinet documents, and I've had a TAC case opened a week with no progress. Is there anyone that can tell me how to change the remote peer ID for a VPN tunnel? Thank you.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
We figured out the problem. Our PSK had a special character that the FGT didn't like, but I'm not sure which one it was. It was a long key with several special characters, but we made it a bit longer with no special characters, and it resolved the problem.
Can you share the configuration and debug logs?
Sure can.
DDC-C1-FTG2600 (CSM_out_map_002) # show
config vpn ipsec phase1-interface
edit "CSM_out_map_002"
set interface "Ethernet1/1"
set ike-version 2
set authmethod-remote psk
set peertype any
set net-device disable
set proposal aes256-sha256
set comments "Vendor VPN"
set dhgrp 14
set remote-gw 1.1.1.1
set psksecret ENC *
set psksecret-remote ENC *
next
end
ike 0:CSM_out_map_002:56014: initiator received AUTH msg
ike 0:CSM_out_map_002:56014: peer identifier IPV4_ADDR 172.24.32.5 <<<<<<<<
ike 0:CSM_out_map_002:56014: auth verify done
ike 0:CSM_out_map_002:56014: initiator AUTH continuation
ike 0:CSM_out_map_002:56014: authentication failed <<<<<<<<<
ike 0:CSM_out_map_002:56014: schedule delete of IKE SA d42b0bdbeb22e82a/f82e2164be69f343
ike 0:CSM_out_map_002:56014: scheduled delete of IKE SA d42b0bdbeb22e82a/f82e2164be69f343
ike 0:CSM_out_map_002: connection expiring due to phase1 down
ike 0:CSM_out_map_002: deleting
ike 0:CSM_out_map_002: deleted
ike 0:CSM_out_map_002: schedule auto-negotiate
ike 0: unknown SPI 96790842 51 1.1.1.1:4500->2.2.2.2
ike 0:: send HA sync query conn scope=3 mode=1
diagnose debug disable
We figured out the problem. Our PSK had a special character that the FGT didn't like, but I'm not sure which one it was. It was a long key with several special characters, but we made it a bit longer with no special characters, and it resolved the problem.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1697 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.