IPsec VPN issue

Forum|Forum|7 months ago
November 7, 2025
3 replies
488 views

We currently have an RA IPsec VPN that provides access to the production subnet. I have attempted to create a new RA IPsec VPN that provides access to the management subnet. I created a new VPN with different PSK, IPv4 client range, split tunnel subnet but everything else is configured the same. This was previously working but is no longer working.

I can see from the logs that Ike phase 1 is negotiation is not completing successfully, and I can see in the logs "SA proposal chosen, matched gateway XXXX", but I am trying to connect to gateway Y. I have compared all settings of VPN X and Y, and forticlient config of X and Y and everything appears to be correct.

I previously managed to get this VPN working as intended, but then had issues when trying to configure it for SAML authentication. All I did today was reverted back to local user but this never worked again. I have completely removed all configuration required and re-created but this is still failing

Production VPN peer ID is any, while the MGMT VPN peer ID is our public IP.

FortiGate 60-F running version 7.6.0

aidangregoryAuthor

New Member

Adding to this we have created an identical FW policy that uses the MGMT VPN interface/subnet + a new static route for the client IP subnet range using the VPN tunnel interface as default gateway

ebrlima

Staff

Please share your ipsec tunnel configuration and the output of:

diagnose vpn ike log filter name "phase1 name"

diagnose debug application ike -1

diagnose debug enable

ede_pfau

SuperUser

Nearly identical dial-up VPNs on the same public WAN IP need to be differentiated by a "peer ID". You didn't mention it, have you implemented it? 2 simple strings will do so that the FGT can decide which VPN a request is aimed at.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded