Skip to Content

Solved: How do I troubleshoot FortiGate sends ‘local id’ in FQDN type when negotiating an IPSec tunnel with Cisco?

This article describes how to solve the ‘AUTHENTICATION_FAILED’ error while IPSec tunnel negotiation between FortiGate and Cisco.

In this example:

  • 10.1.1.1 is an IP on FortiGate.
  • 10.2.2.2 is an IP on Cisco ASA.

Site to Site IPSec VPN between FortiGate on AWS and Cisco using IKEv2 is not coming up. Debug on the FortiGate is showing ‘AUTHENTICATION_FAILED’.

Below is the debug output on the FortiGate:

2022-09-16 14:08:04.722079 ike 0:B1:49836: sent IKE msg (AUTH): 10.1.1.1:500->10.2.2.2:500, len=240, vrf=0, id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001
2022-09-16 14:08:04.747045 ike 0: comes 10.2.2.2:500->10.1.1.1:500,ifindex=3,vrf=0....
2022-09-16 14:08:04.747059 ike 0: IKEv2 exchange=AUTH_RESPONSE id=93cf8ded66f1bb7c/e34f9641e22c3ce3:00000001 len=80
2022-09-16 14:08:04.747072 ike 0: in 93CF8DED66F1BB7CE34F9641E22C3CE32E20232000000001000000502900003436FE4BDB3A3D8A55A6F939B558473FA166E5F335244FA4A3B5F076AD120E2A3C5A
16F324AA27C6A6A7BF52D604777FE2
2022-09-16 14:08:04.747083 ike 0:B1:49836: dec 93CF8DED66F1BB7CE34F9641E22C3CE32E2023200000000100000028290000040000000800000018
2022-09-16 14:08:04.747095 ike 0:B1:49836: initiator received AUTH msg
2022-09-16 14:08:04.747101 ike 0:B1:49836: received notify type AUTHENTICATION_FAILED

Debug on the Cisco, the peer’s identity type can be seen as FQDN. Below is the debug output on the Cisco firewall:

Sep 16 00:19:48.293 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Received Packet [From 10.1.1.1:500/To 10.2.2.2:500/VRF i0:f5]
Initiator SPI : B00BFE07C3FF2CE0 - Responder SPI : A021B9EFEC57B189 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi NOTIFY(INITIAL_CONTACT) AUTH NOTIFY(Unknown - 16420) SA TSi TSr

Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Stopping timer to wait for auth message
Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Checking NAT discovery
Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):NAT not found
Sep 16 00:19:48.294 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Searching policy based on peer's identity ’10.1.1.1’ of type 'FQDN'
Sep 16 00:19:48.296 UTC: IKEv2-ERROR:(SESSION ID = 54588636,SA ID = 50):: Failed to locate an item in the database
Sep 16 00:19:48.296 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Verification of peer's authentication data FAILED
Sep 16 00:19:48.296 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Sending authentication failure notify
Sep 16 00:19:48.296 UTC: IKEv2:(SESSION ID = 54588636,SA ID = 50):Building packet for encryption.

This issue could occur when the local-id-type is set to auto:

Solution

To resolve this issue, set the local-id-type to address or whatever the remote peer is expecting from FortiGate:

# config vpn ipsec phase1-interface
edit 1
set localid-type address
set localid 10.1.1.1
end
Tags

Tags

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.