This article describes how to handle a scenario where the IPsec Tunnel is up and traffic seems to be leaving FortiGate but is not reaching the remote end. 

This article applies to all the possible scenarios mentioned below:

1. FortiGate=====IPsec Tunnel=====FortiGate.
2. FortiGateVM======IPSec Tunnel====FortiGate.
3. FortiGate=====IPSec Tunnel======Third Party.

Follow these steps: 

1. Verify the IPsec ports being used on FortiGate with the following commands.

diagnose vpn ike gateway list name <tunnel_name>

diagnose vpn tunnel list name <tunnel_name>

2. If port 500 is being used, try to switch the connectivity to port 4500. 

config vpn ipsec phase1-interface
    edit "VPN-Phase1"
        set nattraversal forced
end

Make sure NAT-Traversal is also enabled on the remote end on a Third-party device.

3. Flush the tunnel.

diagnose vpn tunnel flush <tunnel_name>

diagnose vpn ike  gateway flush name <tunnel_name>

Or:

diagnose vpn ike  gateway clear name <tunnel_name>

4. Verify if the connectivity is established on port 4500 using the same commands in the first step. 

   Note: In Cloud platforms like Azure, it is suggested to use NAT-T for the IPsec VPN so that the traffic will pass through the Azure load balancer.
   Refer to this article: Technical Tip: IPSec tunnel is established but unable to pass the traffic on Azure.
   
   

5. Check if the traffic is sent/received over the VPN tunnel on both ends. Perform debug flow and packet captures on both FortiGates for the end host IP addresses.
   
   

6. Check for the routes to the destination, if it is showing via Tunnel interface or not using below command:
   
   get router info routing-table details <destination-ip>
   
   If the static route is configured using the "Named Address" and in the routing table it is showing via Physical interface, try configuring it using the specific subnet.

Host X (x.x.x.x) -> FGT-A (IPsec VPN) FGT-B -> (y.y.y.y) Host Y.

For debug flow, run the following commands:

diagnose debug reset
diagnose debug console timestamp enable
diagnose debug flow filter addr x.x.x.x y.y.y.y and

diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable

To stop debug:

diagnose debug disable

diagnose debug reset

For packet capture, run the command:

diagnose sniffer packet any "host x.x.x.x and host y.y.y.y" 4 0 l

To stop the capture, press Ctrl + C.

After initiating the above commands on the SSH session, try to initiate the traffic from source IP x.x.x.x to destination IP y.y.y.y.

Always try to take packet capture for the destination network:

Take the sniffer for the destination address. In this setup, the destination address is the SSL VPN IP after connecting to VPN.

dia sniffer packet any " host y.y.y.y " 4 0 l  
y.y.y.y    destination ip 

Useful commands:

Diagnose VPN tunnel list:

get router info routing-table database
get router info routing-table details b.b.b.b <----- Where b.b.b.b is the source IP address
get router info routing-table details y.y.y.y <----- Where y.y.y.y is the destination IP address
get router info routing-table all

Related article:

Troubleshooting Tip: First steps to troubleshoot connectivity problems to or through a FortiGate wit...