1. IPSec Tunnel is configured between FG-A and FG-B with the following Phase2 selector setting:

FG-A:

[IPSec_local].

IPSec_local_subnet_1: 10.251.0.0/20.

IPSec_local_subnet_2: 10.251.0.0/24.

[IPSec_remote].

IPSec_remote_subnet_1: 10.120.0.0/20.

FG-B:

[IPSec_local].

IPSec_local_subnet_1: 10.120.0.0/20.

[IPSec_remote].

IPSec_remote_subnet_1: 10.251.0.0/20.

IPSec_remote_subnet_2: 10.251.0.0/24.

2. IPSec phase2 is not coming up with the respective configuration if the IPSec tunnel is brought up from FG-B.

   Further, inspection is done by looking into the IPSec debug log with the following command:

    

   diag vpn ike log-filter dst-addr4 <remote_IP>

   diag deb app ike -1

   diag deb en

    

   Note:

   Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

    

    

3. From the debug log, it is possible to see that FG-A failed to add SA with error 22: Invalid argument:

    

   

    

   It was also observed from FG-A that the SA_DONE operation failed with error 2: No such file or directory:

    

   

    

    

4. The tunnel can be established should the FG-A become the initiator:

    

   FG-A:

    

   

    

   FG-B:

    

   

    

    

5. This happens due to the overlapping IP address subnet configured on FG-A.

    

Removing 10.251.0.0/24 from the address group on both FortiGate would prevent the IPSec tunnel issue regardless if FG-A or FG-B becomes the initiator.