• A new IPSEC VPN session is configured between NSX and a Fortinet Server
• Session establishment fails with below error
  
  
  
  
• You've verified/changed the pre-shared key and it is set same on both NSX and Fortinet FW, but session establishment still fails with 'Authentication Failed' error.'
• Enabling IP-Sec debug shows same error
  
  
  
  
• NSX Edge logs show the VPN session is down due to Authentication Failed error
  From Edge /var/log/syslog* you see below logs:

2024-10-30T17:59:16.572Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(###.###.###.###:500 <- ###.###.###.###:500): len=  400, mID=0, HDR(####_i,####_r), SA, KE, Nonce, N(FRAGMENTATION_SUPPORTED)

2024-10-30T17:59:16.572Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-event" level="INFO"] Request for IKE session status update for session: ####, local_ip: ###.###.###.###, peer_ip: ###.###.###.### status: IKE_STATUS_NEGO, error: 

2024-10-30T17:59:16.572Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="nestdb-iked" level="INFO"] Session status change for ########-####-####-####-############ to status: IKE_STATUS_NEGO, reason: , current status: IKE_STATUS_NEGO, reason: , refcount: 18

2024-10-30T17:59:16.572Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="nestdb-iked" level="INFO"] No matching IKESA info for session SPI: 0x####_i,0x####_r

2024-10-30T17:59:16.572Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="nestdb-iked" level="INFO"] Adding IKESA info to session SPI: 0x####_i 0x####_r

2024-10-30T17:59:16.578Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(###.###.###.###:500 -> ###.###.###.###:500): len=  406, mID=0, HDR(####_i,####_r), SA, KE, Nonce, N(FRAGMENTATION_SUPPORTED), Vid

…

2024-10-30T17:59:16.622Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet R(###.###.###.###:500 <- ###.###.###.###:500): len=  196, mID=1, HDR(####_i,####_r), IDi, N(INITIAL_CONTACT), AUTH, unknown, SA, TSi, TSr

2024-10-30T17:59:16.622Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"] IKEv2 SA [Responder] negotiation failed:

2024-10-30T17:59:16.622Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"]   Local IKE peer  ###.###.###.###:500 routing instance 25 ID (null)

2024-10-30T17:59:16.622Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"]   Remote IKE peer ###.###.###.###:500 routing instance 25 ID (null)

2024-10-30T17:59:16.622Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"] 

2024-10-30T17:59:16.622Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"]   Message: Authentication failed (24)

2024-10-30T17:59:16.622Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"]   Reason:

2024-10-30T17:59:16.622Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="ERROR" errorCode="EDG1000028"]     Remote ID mismatch

2024-10-30T17:59:16.623Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKE SA negotiations: 741581 done, 22289 successful, 719292 failed

2024-10-30T17:59:16.623Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IPsec SA [Responder] negotiation failed:

2024-10-30T17:59:16.623Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"]   Local IKE peer  ###.###.###.###:500 routing instance 25 ID (null)

2024-10-30T17:59:16.623Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"]   Remote IKE peer ###.###.###.###:500 routing instance 25 ID (null)

2024-10-30T17:59:16.623Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"]   Message: Authentication failed (24)

2024-10-30T17:59:16.623Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-main" level="INFO"] Request for IPSEC tunnel status update : tunnel: 8224, rule: 0, local_ip: ###.###.###.###, peer_ip: ###.###.###.### inbound_spi: 0x0, outbound_spi: 0x0 status: IPSEC_STATUS_DOWN, error: Authentication failed

2024-10-30T17:59:16.623Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="iked-main" level="ERROR" errorCode="EDG1000047"] Null policy manager rule while updating tunnel status

2024-10-30T17:59:16.623Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="nestdb-iked" level="INFO"] Successfully updated session ########-####-####-####-############, for rule ID: 0, with status: IPSEC_STATUS_DOWN, reason: Authentication failed

...

2024-10-30T17:59:16.623Z <edgeNode> NSX 67601 VPN [nsx@6876 comp="nsx-edge" subcomp="iked" s2comp="ike-stack" level="INFO"] IKEv2 packet S(###.###.###.###:500 -> ###.###.###.###:500): len=   76, mID=1, HDR(####_i,####_r), N(AUTHENTICATION_FAILED)

VMware NSX IPSEC VPN with Fortinet Peer

The IPSEC negotiation is failing due to a misconfiguration on the Fortinet side causing it to interpret an IP address as a string

Please note: Broadcom is not responsible for the information in the link above or any third party documentation. Please verify with the hardware vendor that this configuration is valid and applicable to the situation.

For general IPSEC VPN troubleshooting steps, see Troubleshooting NSX IPSEC VPN.