Skip to Content

Solved: How do I fix IPSec error: 22: Invalid argument?

Problem Description

This article describes how to troubleshoot IPSec error: 22: Invalid argument.

Scope

FortiGate

Solution

Step 1: IPSec Tunnel is configured between FG-A and FG-B with the following Phase2 selector setting:

FG-A:
[IPSec_local]
IPSec_local_subnet_1: 10.251.0.0/20
IPSec_local_subnet_2: 10.251.0.0/24
[IPSec_remote]
IPSec_remote_subnet_1: 10.120.0.0/20

FG-B:
[IPSec_local]
IPSec_local_subnet_1: 10.120.0.0/20
[IPSec_remote]
IPSec_remote_subnet_1: 10.251.0.0/20
IPSec_remote_subnet_2: 10.251.0.0/24

Step 2: IPSec phase2 is not coming up with the respective configuration if the IPSec tunnel is brought up from FG-B.

Further, inspection is done by looking into IPSec debug log with the following command:

# diag vpn ike log-filter dst-addr4
# diag deb app ike -1
# diag deb en

Step 3: From the debug log, it is possible to see that FG-A failed to add SA with error 22: Invalid argument:

From the debug log, it is possible to see that FG-A failed to add SA with error 22: Invalid argument.

It was also observed from FG-A that SA_DONE operation failed with error 2: No such file or directory:

It was also observed from FG-A that SA_DONE operation failed with error 2: No such file or directory.

Step 4: The tunnel can be established should the FG-A become the initiator:

FG-A:

The tunnel can be established should the FG-A become the initiator - FG-A.

FG-B:

The tunnel can be established should the FG-A become the initiator - FG-B.

Step 5: This happens due to the overlapping IP address subnet configured on FG-A.

Removing 10.251.0.0/24 from the address group on both FortiGate would prevent the IPSec tunnel issue regardless if FG-A or FG-B becomes the initiator.

    Ads Blocker Image Powered by Code Help Pro

    It looks like you are using an adblocker.

    Ads keep our content free. Please consider supporting us by allowing ads on pupuweb.com