Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Staff
Staff

Created on ‎10-04-2022 09:36 PM Edited on ‎01-29-2025 01:18 AM By Community Manager

Article Id 225675

Technical Tip: How to bring up specific phase 2 selectors or all selectors of IPSec VPN from GUI

Description This article describes how to bring up specific phase 2 selectors or all selectors of IPSec VPN via GUI.
Scope FortiGate v6.4 onwards.
Solution

In v6.2, it is mandatory to go to Monitor -> IPsec Monitor to bring up the phase 2 selector of IPsec VPN via GUI as shown in the screenshot below.

 

mattchow_FTNT_0-1664935018753.png

 

From v6.4, it is possible to bring up from VPN -> IPsec Tunnels and select the status of VPN. For example, select the 'Inactive' status as shown below.

 

mattchow_FTNT_1-1664935033147.png

 

It will redirect to another Web page showing multiple phase 2 selectors columns as shown in the previous version, select the tunnel and bring up a specific phase 2 selector or all phase 2 selectors shown below.

 

mattchow_FTNT_2-1664935033152.png

 

Another method is to go under Dashboard -> Network -> IPsec

 

network-ipsec.PNG

 

Note:

If a phase 2 selector did not come up after using the force bring-up option, check each device to see if the set phase 2 selector IP address or subnet mask is the same. Also, the bring-up option is not available for dial-up tunnels. 

 

If the Phase 2 tunnel is still down. Check the following.

  • Confirm that the encryption and hash algorithms on both the receiver and the initiator are the same.
  • Check to see if PFS is enabled, and if so, ensure that the configurations on both units match.
  • Make sure the quick mode selectors (interesting traffic) are the same on both units.

 

If Phase-2 is still not operational, start the packet capture on port 500/4500. 

 

CLI method:

 

execute vpn ipsec tunnel up <Phase2 name>

diag vpn tunnel up <phase2 name>

 

Related articles: 

Technical Tip: How to bring the IPsec tunnel down from the CLI and GUI

Technical Tip: Manually Bring the IPsec Site-to-Site VPN UP

Technical Tip: How to view IPsec monitor directly from the VPN page on FortiGate to verify the statu...
Labels:
6648
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.