FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nishtha_Baria
Article Id 358959
Description

This article describes why one of the Phase 2 selectors is not present in the IPSec monitor.

Scope FortiGate.
Solution

In some cases, an IPSec tunnel may include more than one phase 2 selector. The IPSec monitor can be used to confirm that a tunnel and all Phase 2 selectors are operational. If Phase 2 does not appear when using the IPSec monitor, as it does in the screenshot below:

 

monitor.PNG

 

In the below screenshot it can be seen that there are 3 Phase 2 selectors on this IPSec tunnel:

 

phase2.PNG

 

From the CLI, while checking on the phase1 connection the phase2 selector is still missing:

 

diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=IPsecTunnel ver=1 serial=1 10.9.11.193:0->11.11.11.11:0 nexthop=10.9.15.254 tun_id=11.11.11.11 tun_id6=::11.11.11.11 dst_mtu=0 dpd-link=off weight=1
bound_if=3 real_if=3 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=2 child_num=0 refcnt=4 ilast=44775664 olast=44775664 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=IPsecTunnel proto=0 sa=0 ref=1 serial=1
src: 0:192.168.1.0-192.168.1.255:0
dst: 0:192.168.100.0-192.168.100.255:0
proxyid=Secondsubnet proto=0 sa=0 ref=1 serial=2
src: 0:192.168.2.0-192.168.2.255:0
dst: 0:192.168.100.0-192.168.100.255:0
run_tally=0

 

When checked under references for this IPSec tunnel, the concerned Phase 2 selector shows up, but that Phase 2 selector is slightly towards right-hand side:

 

ref.PNG

 

If that is the case, then that Phase 2 selector is repetitive. In the example above the first Phase 2 selector and the third one have the same remote and local subnet.