This article describes how to avoid IPsec VPN keep generating phase1 errors from the same source IP address.

Related article:

Technical Tip: How to filter traffic with VLAN ID when doing packet sniffer

FortiGate will generate IPsec phase1 error when the source IP does not match the remote gateway settings of FortiGate IPSec VPN.

Topology:

10.1.212.9(device A) <----IPsec---> 10.1.212.14() FGT 

Scenario:

10.1.212.9 tries to generate IPsec VPN to 10.1.212.14 but there are no such IP address settings for the IPsec in the FortiGate.

The log will keep showing an IPsec phase1 error.

To avoid the log getting generated, it is possible to use a local-in policy to block the traffic:

config firewall local-in-policy
    edit 1
        set intf "port17"
        set srcaddr "10.1.212.9"
        set dstaddr "all"
        set service "ALL"
        set schedule "always"
    next
end

In v7.2.4+, another CLI option is needed for the local-in policy to affect IPsec traffic:

config system settings
    set detect-unknown-esp disable
end

Related document:

Blocking unwanted IKE negotiations and ESP packets with a local-in policy | FortiGate / FortiOS 7.6....