Technical Tip: How to bring up specific phase 2 selectors or all selectors of IPSec VPN from GUI

In v6.2, it is mandatory to go to Monitor -> IPsec Monitor to bring up the phase 2 selector of IPsec VPN via GUI as shown in the screenshot below.

From v6.4, it is possible to bring up from VPN -> IPsec Tunnels and select the status of VPN. For example, select the 'Inactive' status as shown below.

It will redirect to another Web page showing multiple phase 2 selectors columns as shown in the previous version, select the tunnel and bring up a specific phase 2 selector or all phase 2 selectors shown below.

Another method is to go under Dashboard -> Network -> IPsec. 

Note:

If a phase 2 selector did not come up after using the force bring-up option, check each device to see if the set phase 2 selector IP address or subnet mask is the same. Also, the bring-up option is not available for dial-up tunnels. 

If the Phase 2 tunnel is still down. Check the following.

• Confirm that the encryption and hash algorithms on both the receiver and the initiator are the same.
• Check to see if PFS is enabled, and if so, ensure that the configurations on both units match.
• Make sure the quick mode selectors (interesting traffic) are the same on both units.

If Phase-2 is still not operational, start the packet capture on port 500/4500. 

CLI method:

execute vpn ipsec tunnel up <Phase2 name>

diag vpn tunnel up <phase2 name>

Related articles: 

Technical Tip: How to bring the IPsec tunnel down from the CLI and GUI

Technical Tip: Manually Bring the IPsec Site-to-Site VPN UP

Technical Tip: How to view IPsec monitor directly from the VPN page on FortiGate to verify the status of phase1 and phase2