Description
Scope
FortiGate v6.2 or higher.
Solution
The following are the IP address information for both FortiGates.
Device |
FortiGate - I |
FortiGate - II |
Wan IP | 172.25.176.62 | 172.25.177.46 |
LAN IP | 192.168.65.0/24 | 192.168.13.0/24 |
Select the appropriate option in this section for 'Authentication Method', 'IKE' version, 'Transport', 'NAT Traversal', etc.
The 'Transport' option is new at v7.6.x and it is available for IKE version 2.
Move to the next section to configure the Remote Gateway and Remote Subnet.
Select 'next' and move to the next section.
In this section, the 'Outgoing interface', 'Local interface', and 'Local subnets that can access VPN' is configured. Select 'Next'.
After Review the configuration template can be submitted.
The Configuration is complete and once the remote side configuration is done correctly the tunnel is expected to come up and actively pass encrypted traffic.
Verification:
To verify if the LAN subnets can reach each other over the VPN tunnel, initiate an ICMP echo from either side.
Troubleshooting:
If the tunnel UP is not visible, raise a support ticket. It will be helpful to collect the following debug output:
Debug commands:
diag vpn tunnel list
diag vpn ike filter clear
diag vpn ike log-filter dst-addr4 x.x.x.x <----- Where x.x.x.x is the WAN IP of the remote site.
diag debug application ike -1
diag debug console timestamp enable
diag debug enable
Debugs for v7.4.x and v7.6.x firmware version:
diag debug reset
diag vpn ike filter clear
diag vpn ike log filter rem-addr4 x.x.x.x {x.x.x.x} <----- Where x.x.x.x is the WAN IP of the remote site.
diag debug application ike -1
diag debug console timestamp enable
diag debug enable
To Stop the debugs logs:
diag debug disable
diag debug reset
Open another CLI and run the packet capture commands below.
Packet capture:
diag sniffer packet any "host <x.x.x.x> and port 500 or port 4500" 4 0 a <----- Where x.x.x.x is the WAN IP of the remote site.
Once the commands are executed, try to bring the tunnel UP from the GUI (VPN -> IPsec Monitor -> Bring UP or with the command):
diagnose vpn tunnel up “vpn_tunnel_nam <----- Where 'vpn_tunnel_name' is the phase1 name of the respective VPN tunnel.
Once the debugs are collected, stop the debug with the command:
diag debug disable
diag debug reset
Attach the complete output to the ticket along with the config files of both the FortiGates.
Related documents:
Technical Note: Use of Black hole route in site to site IPsec VPN scenarios
Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
Troubleshooting Tip: IPsec VPNs tunnels
Technical Tip: Setting multiple DNS server for IPSec dial-up VPN
Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels
Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
Technical Tip: IPSec dial-up full tunnel with FortiClient
Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations
Technical Note: Dynamic routing (BGP) over IPsec tunnel
Technical Tip: OSPF with IPSec VPN for network redundancy
Technical Tip: Dynamic dial-up VPN with OSPF
Technical Tip: Fortinet Auto Discovery VPN (ADVPN)
Technical Tip: 'set net-device' new route-based IPsec logic
Technical Tip: Simple OCVPN deployment
Technical Tip: SD-WAN integration with OCVPN
Technical Tip: Configure IPsec VPN with SD-WAN
Technical Tip: SD-WAN with DDNS type IPsec
Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario
Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode
Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel
Note:
Versions 5.0 up to 6.4 are out of engineering support. So these commands might be different on higher versions. Consider upgrading the firmware level on the device to a supported version (7.0 up to 7.6). Here check the firmware path and compatibility depending on the hardware: Upgrade tool.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.