FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 312548
Description This article provides a replica of a functional configuration for a site-to-site VPN that consistently encounters issues in both Phase 1 and Phase 2 negotiations when connecting between SonicWall and a FortiGate connected behind CGNAT Starlink.
Scope FortiOS, FortiGate, Sonicwall, CGNAT Starlink.

Firstly, make sure that all of the basic configuration is matching both sides using this article.


If the basic configuration does not help bringing the IPsec tunnel up using the above article, the following changes must be made on both sides of the tunnel:


  1. Enable Forced NAT Traversal (NAT-T) on both sites under VPN -> IPsec Tunnels.


image - 2024-05-01T131934.529.png


  1. Switch to IKEv1 -> Aggressive Mode:


image - 2024-05-01T132327.626.png


Test the tunnel and refer to this article to enable MTU override and disable Anti-Reply if tunnel still shows offline.


If the issue persists, contact TAC and share the log output from the following debug commands:


diagnose vpn ike log filter dst-addr4 <remote_peer_IP>
diagnose debug console timestamp enable
diagnose debug application ike -1
diagnose debug enable

Related article:

Technical Tip: Explaining IPsec Anti-replay and preventing packet drops.