Here are the most common error messages when you are not able to establish an IPsec-VPN connection (Site to Site / End to Site).
These messages are visible in the "Monitor > Log" section of our firewalls.
Please use the category filter "IKE":
INVALID PAYLOAD TYPE: This means that the pre-shared key is not the same on both sides -> see Phase1.
NO PROPOSAL CHOSEN: Error in the match of the algorithms of phase1 or 2.
LOCAL POLICY MISMATCH: The local policy object might be wrong or does not belong to the tunnel setup you choose. For example, the WAN Interface IP is wrong or the subnets conflict with each other.
REMOTE IP MISMATCH Wrong IP entered on the remote site
LOCAL ID MISMATCH: This means that an error has occurred in Phase 1 in the fields "Local ID Type / Content" and "Peer ID Type / Content". Check that they are well reversed between the 2 routers or the router and the client (the local of one will be the other's peer and vice versa)
NO SA FOUND: This means that the router will receive IKE packets but will not find a matching tunnel.
AUTHENTICATION FAILED: This means that the extended authentication is activated on one of the two sides (see phase1, extended parameters)
IKE PACKET RETRANSMIT: This means there is no interchange between the 2 routers. This can be due to a number of reasons: a poorly configured IP address or a NAT redirection problem of the packets needed by the VPN (for example, if a modem router is in front of a USG).
You can enable/disable NAT Traversal (VPN Gateway, show hidden settings)