If a user has multiple IPsec tunnels configured, it is possible to enable IPSec VPN-specific debugs per peer.

FortiGate-60E # diagnose vpn ike filter
list Display the current filter.
clear Erase the current filter.
name Phase1 name to filter by.
src-addr4 IPv4 source address range to filter by.
msrc-addr4 multiple IPv4 source address to filter by.
dst-addr4 IPv4 destination address range to filter by.
mdst-addr4 multiple IPv4 destination address to filter by.
src-addr6 IPv6 source address range to filter by.
msrc-addr6 multiple IPv6 source address to filter by.
dst-addr6 IPv6 destination address range to filter by.
mdst-addr6 multiple IPv6 destination addresses to filter by.
src-port Source port range to filter by.
dst-port Destination port range to filter by.
vd Index of virtual domain. -1 matches all.
interface Interface that IKE connection is negotiated over.
negate Negate the specified filter parameter.

FortiGate-60E # diagnose vpn ike log-filter dst-addr4 1.1.1.

FortiGate-60E # di debug application ike -1
Debug messages will be on for 30 minutes.

FortiGate-60E # diagnose debug enable

Using the 'dst-addr4' or 'tunnel' keyword, it is possible to enable the logs per VPN gateway or IPsec tunnel.

Note: Starting from v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

To turn off the currently enabled settings, use these commands:

FortiGate-60E # diagnose debug disable

FortiGate-60E # diagnose debug reset