Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
albaker1
Contributor

Problem with S2S VPN tunnel - remote peer is advertising private IP as peer

We recently converted from a Firepower to a FortiGate, and we have a problematic tunnel we just can't figure out what to do. The debug shows authentication is failing, but we've both confirmed and re-entered the PSK. We're also seeing the remote peer using 172.24.x.x as it's peer ID just before the authentication failure. They are using a Cisco ASR router and refuse to change their peer ID, although they did admit they have problems with both FortiGate and Palo firewalls. I've searched through numerous Fortinet documents, and I've had a TAC case opened a week with no progress. Is there anyone that can tell me how to change the remote peer ID for a VPN tunnel? Thank you.

1 Solution
albaker1

We figured out the problem. Our PSK had a special character that the FGT didn't like, but I'm not sure which one it was. It was a long key with several special characters, but we made it a bit longer with no special characters, and it resolved the problem.

View solution in original post

3 REPLIES 3
srajeswaran
Staff
Staff

Can you share the configuration and debug logs?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

albaker1

Sure can. 

 

DDC-C1-FTG2600 (CSM_out_map_002) # show
config vpn ipsec phase1-interface
edit "CSM_out_map_002"
set interface "Ethernet1/1"
set ike-version 2
set authmethod-remote psk
set peertype any
set net-device disable
set proposal aes256-sha256
set comments "Vendor VPN"
set dhgrp 14
set remote-gw 1.1.1.1
set psksecret ENC *
set psksecret-remote ENC *
next
end


ike 0:CSM_out_map_002:56014: initiator received AUTH msg
ike 0:CSM_out_map_002:56014: peer identifier IPV4_ADDR 172.24.32.5 <<<<<<<<
ike 0:CSM_out_map_002:56014: auth verify done
ike 0:CSM_out_map_002:56014: initiator AUTH continuation
ike 0:CSM_out_map_002:56014: authentication failed <<<<<<<<<
ike 0:CSM_out_map_002:56014: schedule delete of IKE SA d42b0bdbeb22e82a/f82e2164be69f343
ike 0:CSM_out_map_002:56014: scheduled delete of IKE SA d42b0bdbeb22e82a/f82e2164be69f343
ike 0:CSM_out_map_002: connection expiring due to phase1 down
ike 0:CSM_out_map_002: deleting
ike 0:CSM_out_map_002: deleted
ike 0:CSM_out_map_002: schedule auto-negotiate
ike 0: unknown SPI 96790842 51 1.1.1.1:4500->2.2.2.2
ike 0:: send HA sync query conn scope=3 mode=1
diagnose debug disable

albaker1

We figured out the problem. Our PSK had a special character that the FGT didn't like, but I'm not sure which one it was. It was a long key with several special characters, but we made it a bit longer with no special characters, and it resolved the problem.

Labels
Top Kudoed Authors