This article describes how to make sure the FortiGate will act as a responder in site-to-site IPsec VPN

Generally, in Client to site VPN IPsec, FortiGate always acts as an initiator and the hub acts as a responder.

But in site-to-site IPsec VPN, FortiGate can act as a responder or initiator, using the passive-mode feature FortiGate will act always as a responder.

Scope FortiGate.

The feature 'passive-mode' in phase1 is used to make the FortiGate act as a responder during IKE negotiation.


# config vpn ipsec phase1-interface
    edit "ipsec-tunnel"
        set interface "wan1"
        set passive-mode enable
        set proposal aes128-sha256
        set dpd on-idle
        set dhgrp 5
        set remote-gw
        set psksecret ENC 4+3hg2hZ87dUd8GTo172Hl/wT+1GiPsGYPs0trS8c1nkMPbPOT5lctqkH46x3C4v1MjygX0uBKuWq/U/+/qcbSfuU4U565C9xRSSVmu+LrcR4Zeg/81NFZXqQZ9msZ/YxPmoG65lDTds




- When the passive-mode is disabled:


FGT # di vpn ike gateway list

vd: root/0
name: ipsec-tunnel
version: 1
interface: wan1 25
addr: ->
created: 394s ago
IKE SA: created 1/1 established 1/1 time 30/30/30 ms
IPsec SA: created 1/1 established 1/1 time 30/30/30 ms

id/spi: 6 19503eb0a35dd78d/999b40630df53284
direction: initiator
status: established 394-394s ago = 30ms
proposal: aes128-sha256
key: 5aba9233a7e7641e-d2f0c1a09162b38b
lifetime/rekey: 86400/85705
DPD sent/recv: 00000015/00000000

- After the passive-mode is enabled, the tunnel comes down locally and FortiGate sends a DELETE notification message to the remote side to re-negotiate the tunnel:


2023-01-28 22:27:43.599232 ike 0:ipsec-tunnel: update
2023-01-28 22:27:43.599240 ike 0:ipsec-tunnel: deleting
2023-01-28 22:27:43.599271 ike 0:ipsec-tunnel: flushing
2023-01-28 22:27:43.599307 ike 0:ipsec-tunnel: deleting IPsec SA with SPI 1c2b0d21
2023-01-28 22:27:43.599320 ike 0:ipsec-tunnel:ipsec-tunnel: deleted IPsec SA with SPI 1c2b0d21, SA count: 0
2023-01-28 22:27:43.599324 ike 0:ipsec-tunnel: sending SNMP tunnel DOWN trap for ipsec-tunnel
2023-01-28 22:27:43.599347 ike 0:ipsec-tunnel:6: send IPsec SA delete, spi 3b5d49b1
2023-01-28 22:27:43.599374 ike 0:ipsec-tunnel:6: enc 19503EB0A35DD78D999B40630DF532840810050134E663FC000000500C000024E818BFD367C635B2A266C60630BD0706968CC2974A02C38A8
2023-01-28 22:27:43.599383 ike 0:ipsec-tunnel:6: out 19503EB0A35DD78D999B40630DF532840810050134E663FC0000005C00080327EAAE38E9A3FFD05E3398634A9A05D290D0052A0BD7E4632CB
2023-01-28 22:27:43.599399 ike 0:ipsec-tunnel:6: sent IKE msg (IPsec SA_DELETE-NOTIFY):>, len=92, id=19503eb0a35dd78d/999b40630df532
2023-01-28 22:27:43.599417 ike 0:ipsec-tunnel:ipsec-tunnel: sending SNMP tunnel DOWN trap
2023-01-28 22:27:43.599437 ike 0:ipsec-tunnel: flushed
2023-01-28 22:27:43.599456 ike 0:ipsec-tunnel:6: send IKE SA delete 19503eb0a35dd78d/999b40630df53284
2023-01-28 22:27:43.599477 ike 0:ipsec-tunnel:6: enc 19503EB0A35DD78D999B40630DF5328408100501ABF549680000005C0C000024165F22AFB564EA2AB72EF2880635A94AC1C32FFBDEF877F7F
2023-01-28 22:27:43.599484 ike 0:ipsec-tunnel:6: out 19503EB0A35DD78D999B40630DF5328408100501ABF549680000006CF317537B601B673B0D1B7CE3AE3F0BAD8AFE57E317D1BD9D2ADCC25C0
2023-01-28 22:27:43.599495 ike 0:ipsec-tunnel:6: sent IKE msg (ISAKMP SA DELETE-NOTIFY):>, len=108, id=19503eb0a35dd78d/999b40630df5
2023-01-28 22:27:43.599514 ike 0:ipsec-tunnel: deleted
2023-01-28 22:27:43.599518 ike 0:ipsec-tunnel: set oper down
2023-01-28 22:27:43.599550 ike 0:ipsec-tunnel: schedule auto-negotiate


After a successful IKE negotiation, the FortiGate starts acting as a responder:


FGT # di vpn ike gateway list

vd: root/0
name: ipsec-tunnel
version: 1
interface: wan1 25
addr: ->
created: 12s ago
IKE SA: created 1/1 established 1/1 time 0/0/0 ms
IPsec SA: created 1/1 established 1/1 time 10/10/10 ms

id/spi: 7 22c7cbb768c4cd2b/27215118f14c5f65
direction: responder
status: established 12-12s ago = 0ms
proposal: aes128-sha256
key: 4b2bd4d8dd4fbca0-e28d4a90c513075a
lifetime/rekey: 86400/86117
DPD sent/recv: 00000000/00000000