Skip to main content
Nur
Staff
Nur
Staff
June 30, 2025

Troubleshooting Tip: How to fix an error related domain config for VPN IPsec Phase1-Interface

  • June 30, 2025
  • 0 replies
  • 321 views
Description

This article describes the issue when FortiManager pushes VPN config with the domain command, resulting in an error.

 

------- Start to retry --------

XXXXXXX1 config vdom
XXXXXXX1 (vdom) edit vXXX
current vf=vXXX
XXXXXXX1 (vXXX) config vpn ipsec phase1-interface
XXXXXXX1 (phase1-interface) edit "RXXXX"
XXXXXXX1 (RXXXX) set domain "testing.com"
XXXXXXX1 (RXXXX) next
XXXXXXX1 (phase1-interface) end
XXXXXXX1 (vXXX) end

 

---> generating verification report
(vdom vdom-a: vpn ipsec phase1-interface "RXXXX":domain)
remote original:
to be installed: "testing.com"

<--- done generating verification report

 install failed
Scope FortiManager and FortiGate.
Solution

To ensure FortiManager can push the config, it is necessary to check the VPN IKE version. If the VPN config is using IKEv1, it is necessary to enable the domain as below:

 

config vpn ipsec phase1-interface
    edit "test"
        set type dynamic
        set mode-cfg enable
        set domain "testing.com" 
    next
end

 

If the VPN config is using IKEv2, it is not possible to enable the config as IKEv2 does not support Unity extensions; therefore 'set domainconfiguration is not available for FortiOS IKEv2.

 

Hence, if getting an error as above, consider using IKEv1 rather than IKEv2.
    Terms & ConditionsAccessibility statement