FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Article Id 225675
Description This article describes how to bring up specific phase 2 selectors or all selectors of IPSec VPN via GUI.
Scope FortiGate v6.4 onwards.
Solution

In v6.2, it is mandatory to go to Monitor -> IPsec Monitor to bring up the phase 2 selector of IPsec VPN via GUI as shown in the screenshot below.

 

mattchow_FTNT_0-1664935018753.png

 

From v6.4, it is possible to bring up from VPN -> IPsec Tunnels and select the status of VPN. For example, select the 'Inactive' status as shown below.

 

mattchow_FTNT_1-1664935033147.png

 

It will redirect to another Web page showing multiple phase 2 selectors columns as shown in the previous version, select the tunnel and bring up a specific phase 2 selector or all phase 2 selectors shown below.

 

mattchow_FTNT_2-1664935033152.png

 

Another method is to go under Dashboard -> Network -> IPsec

 

network-ipsec.PNG

 

Note:

If a phase 2 selector did not come up after using the force bring-up option, check each device to see if the set phase 2 selector IP address or subnet mask is the same. Also, the bring-up option is not available for dial-up tunnels. 

 

If the Phase 2 tunnel is still down. Check the following.

  • Confirm that the encryption and hash algorithms on both the receiver and the initiator are the same.
  • Check to see if PFS is enabled, and if so, ensure that the configurations on both units match.
  • Make sure the quick mode selectors (interesting traffic) are the same on both units.

 

If Phase-2 is still not operational, start the packet capture on port 500/4500. 

 

CLI method:

 

execute vpn ipsec tunnel up <Phase2 name>

diag vpn tunnel up <phase2 name>

 

Related articles: 

Technical Tip: How to bring the IPsec tunnel down from the CLI and GUI

Technical Tip: Manually Bring the IPsec Site-to-Site VPN UP

Technical Tip: How to view IPsec monitor directly from the VPN page on FortiGate to verify the statu...