Skip to main content
damianhlozano
damianhlozano
Explorer II
October 23, 2025
Solved

P2P IPsec VPN stop passing traffic

  • October 23, 2025
  • 2 replies
  • 892 views

Hello team!!

 

We have 2 Fortigates in 2 different sites: FGT80F in site1, and FGT40F in site2

I had created a P2P IPsec VPN between both Fortigates some time ago (Connected through Internet)

This VPN was working fine for more than 2 years until now.

Recently I realliced that although the VPN was up, I couldnt access to anything in the other site through the VPN.  

Both Fortigates have Firmware 7.6.4

In "Dashboard -> Network -> IPsec", I used the "Bring down -> Entire tunnel" option to "restart" the VPN.

After few seconds, the VPN was up again, and started to work (I started to reach anything in the other site through the VPN)

After some time (less than 2 hours, IDK how much time exactly), happened the same issue and I "solved" this again by "restarting" again the IPsec VPN, using the "Bring down -> Entire tunnel" option.

 

I cant see any related log.

Do you have any suggestion to try to diagnose why did this happen?

We didnt change anything recently.

 

Thanks in advance.

Regards,

Damián

Best answer by stmz

Hi ,

Check if your  ipsec phase2 selector is also up when the traffic goes down.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-bring-up-specific-phase-2-selectors-or-all/ta-p/225675

 

If this is the case you can enable auto-negotiate on phase2 configuration

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Phase1-is-up-yet-phase2-is-down-after-IKE/ta-p/384951

 

 

2 replies

stmz
stmzAnswer
Visitor III
October 25, 2025

Hi ,

Check if your  ipsec phase2 selector is also up when the traffic goes down.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-bring-up-specific-phase-2-selectors-or-all/ta-p/225675

 

If this is the case you can enable auto-negotiate on phase2 configuration

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Phase1-is-up-yet-phase2-is-down-after-IKE/ta-p/384951

 

 

damianhlozano
damianhlozanoAuthor
Explorer II
October 26, 2025

Thank you stmz!!!

It seems that only twice happened, because since the second time I restarted the VPN, this is still working.

I will try this if this happen again!

 

Regards,

Damián

damianhlozano
damianhlozanoAuthor
Explorer II
December 16, 2025

Hello team!!

 

The issue happened again today.

The following commands in the article did not show any output nor bring this up.

execute vpn ipsec tunnel up <Phase2 name>

diag vpn tunnel up <phase2 name>

 

When I used the "Bring down -> Phase2 selector", the VPN started to pass traffic again.

 

auto-negotiate option is not available on phase2-interface, but there is an option in the gui.

(IPsec-DialUp) # show full-configuration

config vpn ipsec phase2-interface
edit "IPsec-DialUp"
set phase1name "IPsec-DialUp"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set pfs enable
set dhgrp 14 5
set replay enable
set keepalive disable
set add-route phase1
set inbound-dscp-copy phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: IPsec-DialUp (Created by VPN wizard)"
set diffserv disable
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end

 

Thanks

Regards,

Damián

Terms & ConditionsAccessibility statement