There are some scenarios where debugging the IPSec tunnel traffic between the sites is needed to narrow down the root cause of the issue or to verify what paths or policies is the traffic using for this communication.

When running an IKE debug and receiving no output, it is possible that a filter is being applied from a previous CLI session.
It is possible to view the current filter by running 'diagnose vpn ike log filter list' on FortiGates running >=7.4.
If using a FortiGate that is <=7.2, the command is 'diagnose vpn ike log-filter list' instead.

Here is the output with no filter set:

To clear it, run 'diagnose vpn ike log filter clear' or 'diagnose vpn ike log-filter clear' depending on the version.

When trying to run a sniffer on the tunnel (e.g. 'diagnose sniffer packet' command or the Packet Capture menu in the GUI) or if running a debug flow ('diagnose debug flow ...'), it may not be possible to see the traffic.

The reason for this behavior is because of FortiGate offloads that IPsec traffic through NPU.

To see this traffic, disable the auto-asic offload in the firewall policies associated with the tunnel interface to allow traffic.

config firewall policy

    edit 23 

    sh full | grep auto-asic
        set auto-asic-offload disable --default is enabled 

end

Here, policy ID 23 will be from the VPN interface to the LAN. Disable auto-asic in both policies from VPN interface to LAN and LAN interface to VPN interface to see the entire bidirectional flow of the traffic.