Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rishab444
Staff
Staff

Created on ‎10-29-2024 11:24 PM Edited on ‎09-16-2025 03:40 AM By Moderator

Article Id 352417

Technical Tip: Temporarily disable an IPsec VPN tunnel

Description This article describes that for troubleshooting and some configuration change scenarios, it may be necessary to temporarily prevent an IPsec tunnel from attempting to initiate or respond to IKE requests.
Scope FortiGate.
Solution

This can be achieved by disabling the tunnel interface from under Network>Interface -> Expanding the Outgoing Interface of IPSec tunnel -> 'Right-Click' the tunnel Interface -> Set Status -> Disable.

rishab444_0-1729804936363.jpeg


From CLI:

config system interface
    edit <IPSec_interface_name>
        set status down
    next
end

This will function similarly to disabling a physical interface but will simply prevent IKE from making attempts to establish a tunnel (for a site-to-site tunnel) or responding to connection attempts for this specific tunnel.

To confirm the behavior, use ike debugs:

diagnose debug application ike -1

diagnose debug enable

 

To stop the debug, run the following commands:

 

   diagnose debug disable

   diagnose debug reset


ike 0:dc3556fc83a979ba/0000000000000000:10: responder: main mode get 1st message...
ike 0:dc3556fc83a979ba/0000000000000000:10: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:dc3556fc83a979ba/0000000000000000:10: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:dc3556fc83a979ba/0000000000000000:10: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448
ike 0:dc3556fc83a979ba/0000000000000000:10: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:dc3556fc83a979ba/0000000000000000:10: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:dc3556fc83a979ba/0000000000000000:10: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:dc3556fc83a979ba/0000000000000000:10: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:dc3556fc83a979ba/0000000000000000:10: VID Fortinet Auto-Discovery Receiver CA4A4CBB12EAB6C58C57067C2E653786
ike 0:dc3556fc83a979ba/0000000000000000:10: VID Fortinet Exchange Interface IP A58FEC5036F57B21E8B499E336C76EE6
ike 0:dc3556fc83a979ba/0000000000000000:10: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3
ike 0:dc3556fc83a979ba/0000000000000000:10: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000
ike 0:dc3556fc83a979ba/0000000000000000:10: VID FORTIGATE 8299031757A36082C6A621DE00000000
ike 0:Test: ignoring IKE request, interface is administratively down
ike 0:dc3556fc83a979ba/0000000000000000:10: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:dc3556fc83a979ba/0000000000000000:10: no SA proposal chosen

 

8259
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.