Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Babitha_M
Staff
Staff

Created on ‎04-06-2023 03:11 AM Edited on ‎09-18-2024 08:57 PM By Community Manager

Article Id 251438

Technical Tip: How to bring the IPsec tunnel down from the CLI and GUI

Description This article describes how to bring the IPsec VPN tunnel down or up again through the CLI and GUI.
Scope FortiGate.
Solution

To bring up/down individual phase-2 in the CLI. Replace <phase1 name> and <phase2 name> with the actual phase1 and phase2 name respectively. In the example below, phase2 name is 'VPN-2'.

 

   diag vpn tunnel up <phase2 name>

   diag vpn tunnel down <phase2 name>

 

Example :

 

diag vpn tunnel up VPN-2      --> VPN-2 is the phase-2 tunnel <selectors>.
diag vpn tunnel down VPN-2

 

To bring down all phase2 selectors associated to a specific phase1:

 

   diag vpn tunnel flush <phase1 name>

 

To bring down a specific phase1:

 

   diag vpn ike gateway clear name <phase1 name> 

 

To bring the tunnel up or down from the GUI:

 

Navigate to Dashboard -> Network -> IPsec. 'Right-click' on the tunnel and select Bring UP/Bring Down as shown below: 

 

IPsec_monitor.PNG

 

Alternatively, refer to this article: Technical Tip: How to bring up specific phase 2 selectors or all selectors of IPSec VPN from GUI

 

To keep the IPsec tunnel down/disable state until the test, disable it from GUI and CLI:

 

  1. GUI example: Tunnel name: Internet.
    Go Network -> Interfaces -> Choose the tunnel 'right click', select option set status then choose to disable to bring down the tunnel.
                                   

2.png

 

Results:

 

3.png

 

From the earlier example, keep the internet IPsec tunnel down so it is possible to bring the tunnel up.

 

Discovery-kvm67 # con system interface

Discovery-kvm67 (interface) # edit internet

Discovery-kvm67 (internet) # show
config system interface
    edit "internet"
        set vdom "root"
        set ip 172.16.10.2 255.255.255.255
        set allowaccess ping
        set status down
        set type tunnel
        set remote-ip 172.16.10.1 255.255.255.255
        set snmp-index 17
        set interface "port1"
    next
end

Discovery-kvm67 (internet) # set status up

Discovery-kvm67 (internet) # show
config system interface
    edit "internet"
        set vdom "root"
        set ip 172.16.10.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 172.16.10.1 255.255.255.255
        set snmp-index 17
        set interface "port1"
    next
end

 

Results:

The tunnel is up now.

 

5.png

 

Related articles:

Troubleshooting Tip: IPsec VPNs tunnels

Technical Tip: How to flush a VPN tunnel
27045
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.