FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AnthonyH
Staff
Staff
Article Id 278502
Description This article describes the way to observe if the FortiGate is the initiator or the responder through the CLI.
Scope FortiGate
Solution

To determine which device is acting as the responder or initiator, use the following command:

 

diagnose vpn ike gateway list

 

Example output:

 

FortiGate 1:

 

vd: root/0

name: ipsec

version: 1

interface: port1 3

addr:

created: 51s ago

IKE SA: created 1/2  established 1/1  time 1640/1640/1640 ms

IPsec SA: created 0/0

 

  id/spi: 923 888200ea8ea025c9/ebc375ac5f914ca2

  direction: responder

  status: established 25-23s ago = 1640ms

  proposal: aes256-sha256

  key: bb378e79fc304664-42605bc5545ff882-5abb8d8378d21bbf-45eff916409de6e3

  lifetime/rekey: 86400/86106

  DPD sent/recv: 00000000/00000000

 

FortiGate 2:

 

vd: root/0

name: ipsec

version: 1

interface: port1 3

addr:

tun_id:

remote_location: 0.0.0.0

network-id: 0

created: 7s ago

IKE SA: created 1/1  established 1/1  time 1640/1640/1640 ms

IPsec SA: created 0/0

 

  id/spi: 771 888200ea8ea025c9/ebc375ac5f914ca2

  direction: initiator

  status: established 7-5s ago = 1640ms

  proposal: aes256-sha256

  key: bb378e79fc304664-42605bc5545ff882-5abb8d8378d21bbf-45eff916409de6e3

  lifetime/rekey: 86400/86094

  DPD sent/recv: 00000000/00000000

 

In the commands listed above, it can be seen that FortiGate 1 is the responder and FortiGate 2 is the initiator. 

Contributors