Technical Tip: Ikev2 error 'encapsulation mismatch'

sbabu · ‎08-23-2023

Description

This article discusses the Ikev2 error 'encapsulation mismatch' and how to fix it

Scope

FortiGate, Dailup-VPN setup.

Solution

When an ikev1 native VPN (dail_up) is converted to Ikev2 Dail-up VPN, by default, it will use transport mode in the phase-2 config:

FGT1 (New-App) # show
config vpn ipsec phase2-interface
edit "New-App"
set phase1name "New-App"
set proposal aes256-md5 3des-sha1 aes192-sha1
set pfs disable
set encapsulation transport-mode
set l2tp enable
set comments "VPN: New-App (Created by VPN wizard)"
set keylifeseconds 3600
next
end

The VPN connection will eventually fail and it is possible to see below the mentioned error in the Ike debug logs.

Ike Debug logs:

2023-08-07 11:41:22.824172 ike 0:New-App:70605: responder received AUTH msg
2023-08-07 11:41:22.824214 ike 0:New-App:70605: peer identifier IPV4_ADDR 12.12.12.12
2023-08-07 11:41:22.824248 ike 0:New-App:70605: re-validate gw ID
2023-08-07 11:41:22.824291 ike 0:New-App:70605: gw validation OK
2023-08-07 11:41:22.824375 ike 0:New-App:70605: auth verify done
2023-08-07 11:41:22.824404 ike 0:New-App:70605: responder AUTH continuation
2023-08-07 11:41:22.824430 ike 0:New-App:70605: authentication succeeded
2023-08-07 11:41:22.824526 ike 0:New-App:70605: responder creating new child
2023-08-07 11:41:22.824587 ike 0:New-App:70605: mode-cfg type 1 request 0:''
2023-08-07 11:41:22.824633 ike 0:New-App: mode-cfg allocate 10.222.0.1/0.0.0.0
2023-08-07 11:41:22.824664 ike 0:New-App:70605: mode-cfg using allocated IPv4 10.222.0.1
2023-08-07 11:41:22.824689 ike 0:New-App:70605: mode-cfg type 8 request 0:''
2023-08-07 11:41:22.824714 ike 0:New-App: IPv6 pool is not configured
2023-08-07 11:41:22.824737 ike 0:New-App:70605: mode-cfg could not allocate IPv6 address
2023-08-07 11:41:22.824761 ike 0:New-App:70605: mode-cfg type 3 request 0:''
2023-08-07 11:41:22.824787 ike 0:New-App:70605: mode-cfg type 10 request 0:''
2023-08-07 11:41:22.824812 ike 0:New-App:70605: mode-cfg type 2 request 0:''
2023-08-07 11:41:22.824837 ike 0:New-App:70605: mode-cfg type 7 request 0:''
2023-08-07 11:41:22.824881 ike 0:New-App:70605:8770: peer proposal:
2023-08-07 11:41:22.824912 ike 0:New-App:70605:8770: TSi_0 0:0.0.0.0-255.255.255.255:0
2023-08-07 11:41:22.824946 ike 0:New-App:70605:8770: TSi_1 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
2023-08-07 11:41:22.824982 ike 0:New-App:70605:8770: TSr_0 0:0.0.0.0-255.255.255.255:0
2023-08-07 11:41:22.825020 ike 0:New-App:70605:8770: TSr_1 0:::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0
2023-08-07 11:41:22.825046 ike 0:New-App:70605:New-App:8770: comparing selectors
2023-08-07 11:41:22.825070 ike 0:New-App:70605:New-App:8770: encapsulation mismatch

The above error is usually when one end is using 'transport mode' and at the other end 'tunnel mode' is used.

To Fix this error it is necessary to change the encapsulation method to 'tunnel-mode' under phase-2 interface config.

set encapsulation tunnel-mode.