During the IPSEC configuration on FortiGate sometimes the tunnel remains down even if the configuration is correct.

The traffic flow on UDP port 500 can be seen bidirectionally still the phase-1 remains down.

This could be due to a string pattern match issue with another tunnel name.

The first step is to flush the Ike gateway on FortiGate, if the tunnel phase-1 stays down run the Ike debug:

ike 7:0d9c5d80d68930f9/0000000000000000:7721771: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: negotiation result
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: proposal id = 1:
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: protocol id = ISAKMP:
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: trans_id = KEY_IKE.
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: encapsulation = IKE/none
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-
len=256
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: type=OAKLEY_HASH_ALG, val=SHA2_256.
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: type=OAKLEY_GROUP, val=MODP1024.
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: ISAKMP SA lifetime=86400
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: SA proposal chosen, matched gateway C_P
ike 7:C_P: created connection: 0x10119290 0 205.200.8.221->121.243.5.33:500.
ike 7:C_P: duplicate connection detected on name insert, dropping this connection
ike 7:0d9c5d80d68930f9/0000000000000000:7721771: failed to create a connection

The above debug shows the IKE session was flushed due to name string overlap. The only solution to this case is to delete the tunnel configuration and recreate it. After creating the new tunnel it should be up on both phases. Make sure the UDP traffic (on port 500) can be seen in both inbound and outbound direction.

Related article: