【NGAF】Fails to build IPSec connection (3rd Party connection)

Issue Description

Customer configured IPSec 3rd party connection between 2 NGAF, VPN tunnel is not online and system log shows following error.
Primary NGAF: IKE SPI is invalid.
Secondary NGAF: Sent notifications, Format is invalid.

Error/Warning Information

Handling Process

1. Understand the situation, previously the VPN is build up with 3rd party device and now changed to NGAF – NGAF.

2. Check on the branch NGAF configurations, Phase 1 settings shows different public IP compared on the logs.

3. Confirmed with user and changed the branch NGAF Phase 1 peer IP address.

4. Compared Phase 1 settings on both side, it matches.

5. VPN still fails to build up, each side showing different error.

6. Checking on primary NGAF, found that the WAN network is a private IP. (192.168.x.x). It is then learnt that the primary NGAF connect to an ISP router. (NAT environment)
   An illustration of the said topology:
   NGAF A — ISP Router — ISP Modem <——-> ISP Modem — NGAF B

7. Configured Local ID and Peer ID on both sides of NGAF. (This is required when either side of WAN zone has NAT configured).

Root Cause

Environment issue, NAT exist on either side WAN network.

Solution

Configure Local ID and Peer ID on both sides.