Description
Scope
FortiGate 6.2 or higher.
Solution
The following are the IP address information for both FortiGates.
Device |
FortiGate - I |
FortiGate - II |
Wan IP | 172.25.176.62 | 172.25.177.46 |
LAN IP | 192.168.65.0/24 | 192.168.13.0/24 |
To create an IPsec VPN tunnel on the FortiGate device, select VPN -> IPSec Wizard and input the tunnel name.
Select the Template Type as Site to Site, the 'Remote Device Type' as FortiGate, and select NAT Configuration as No NAT between sites.
![](/legacyfs/online/images/kb_3383_1.png)
In the Authentication step, set IP Address to the WAN IP address of the remote FortiGate (in the example, 172.25.177.46).
![](/legacyfs/online/images/kb_3383_2.png)
Set Internet Access to None.
![](/legacyfs/online/images/kb_3383_3.png)
![](/legacyfs/online/images/kb_3383_4.png)
![](/legacyfs/online/images/kb_3383_5.png)
![](/legacyfs/online/images/kb_3383_6.png)
![](/legacyfs/online/images/kb_3383_7.png)
![](/legacyfs/online/images/kb_3383_8.png)
To create a new IPsec VPN tunnel, connect to FGT-II, go to VPN > IPsec Wizard, and create a new tunnel.
In the VPN Setup step, set Template Type to Site to Site, set Remote Device Type to FortiGate, and set NAT Configuration to No NAT between sites.
![](/legacyfs/online/images/kb_3383_9.png)
After the IP address is entered, the wizard automatically assigns an interface as the Outgoing Interface.
![](/legacyfs/online/images/kb_3383_10.png)
![](/legacyfs/online/images/kb_3383_11.png)
![](/legacyfs/online/images/kb_3383_12.png)
![](/legacyfs/online/images/kb_3383_13.png)
Verification:
To verify if the LAN subnets are able to reach each other over the VPN tunnel, initiate an ICMP echo from either side.
![](/legacyfs/online/images/kb_3383_14.png)
Troubleshooting:
If the tunnel UP is not visible, raise a support ticket. It will be helpful to collect the following debug output:
Debug commands:
diag vpn tunnel list
diag vpn ike filter clear
diag vpn ike log-filter dst-addr4 x.x.x.x <----- Where x.x.x.x is the WAN IP of the remote site.
diag debug application ike -1
diag debug console timestamp enable
diag debug enable
Debugs for 7.4.x and 7.6.x firmware version:
diag debug reset
diag vpn ike filter clear
diag vpn ike log filter rem-addr4 x.x.x.x {x.x.x.x} <----- Where x.x.x.x is the WAN IP of the remote site.
diag debug application ike -1
diag debug console timestamp enable
diag debug enable
To Stop the debugs logs:
diag debug disable
diag debug reset
Open another CLI and run the packet capture commands below.
Packet capture:
diag sniffer packet any "host <x.x.x.x> and port 500 or port 4500" 4 0 a <----- Where x.x.x.x is the WAN IP of the remote site.
Once the commands are executed, try to bring the tunnel UP from the GUI (VPN -> IPsec Monitor -> Bring UP or with the command):
diagnose vpn tunnel up “vpn_tunnel_nam <----- Where 'vpn_tunnel_name' is the phase1 name of the respective VPN tunnel.
Once the debugs are collected, stop the debug with the command:
diag debug disable
diag debug reset
Attach the complete output to the ticket along with the config files of both the FortiGates.
Related documents:
Technical Note: Use of Black hole route in site to site IPsec VPN scenarios
Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
Troubleshooting Tip: IPsec VPNs tunnels
Technical Tip: Setting multiple DNS server for IPSec dial-up VPN
Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels
Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication
Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.
Technical Tip: IPSec dial-up full tunnel with FortiClient
Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations
Technical Note: Dynamic routing (BGP) over IPsec tunnel
Technical Tip: OSPF with IPSec VPN for network redundancy
Technical Tip: Dynamic dial-up VPN with OSPF
Technical Tip: Fortinet Auto Discovery VPN (ADVPN)
Technical Tip: 'set net-device' new route-based IPsec logic
Technical Tip: Simple OCVPN deployment
Technical Tip: SD-WAN integration with OCVPN
Technical Tip: Configure IPsec VPN with SD-WAN
Technical Tip: SD-WAN with DDNS type IPsec
Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario
Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode
Technical Tip: How to configure IPsec VPN Tunnel using IKE v2
Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel
Note:
Versions 5.0 up to 6.4 are out of engineering support. So these commands might be different on higher versions. Consider upgrading the firmware level on the device to a supported version (7.0 up to 7.6). Here check the firmware path and compatibility depending on the hardware: Upgrade tool.