Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mle2802
Staff
Staff

Created on ‎12-29-2023 08:18 AM Edited on ‎11-06-2025 08:21 AM By Community Manager

Article Id 291458

Troubleshooting Tip: P1_Retransmit of IPsec tunnel with pfSense

Description

This article describes one of the possible reasons for a P1_Retransmit of an IPsec tunnel with pfSense.
Scope FortiGate and pfSense.
Solution

When creating a site-to-site IPsec tunnel with a pfSense firewall, the phase 1 and IKE debug return the following error:

 

Run the following debugs to observe the output:

 

diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 <ip_of_remote_end>
diagnose debug application ike -1
diagnose debug enable

 

Note: The command diagnose vpn ike log-filter dst-addr4 was changed to diagnose vpn ike log filter rem-addr4 starting from FortiOS version 7.4.1. On FortiOS version 7.4.1 or above, use rem-addr4 instead of dst-addr4. This change was made to update the command syntax for filtering IKE logs by the remote address.

 

sent IKE msg (ident_i3send): <ip_of_fgt>:4500-><ip_of_remote_end>:4500, len=108,

id=14961d6d3f16486a/3f553c6066e91fac

ike 0: comes <ip_of_remote_end>:500-><ip_of_fgt>:500,ifindex=8....

ike 0: IKEv1 exchange=Informational id=14961d6d3f16486a/3f553c6066e91fac:51da3eaa len=76

ike 0: in 14961D6D3F16486A3F553C6066E91FAC0810050151DA3EAA0000004C25E6CBBC380CCB26039353B6C

960C8F3EB3A39226208E8317DF8F8C6C0E44CF01E0A2850C991F25A53A182CAEC13A495

ike 0:fil_e2-dat_e1:370438: dec 14961D6D3F16486A3F553C6066E91FAC0810050151DA3EAA0000004C1CF5C

5E69CF0D37883BCF8835E869E3B0C3FB82632241ADD6C943C1CE824C0373485524F1E63EA0CFFC1BB092D0F7B7D

ike 0:fil_e2-dat_e1:370440: out B877B4A9173E298A8596BD5F7895EDA305100201000000000000006C5FF7595E

87F64F43BC2E1B3226F1FF46E5A

793DE83FE29C4EF696F0FD90120A2A9E11498A64D845CC9BBC48ED3ADB1D8C0C06353DA176278D9799DF5D61595AF2CEB

5F7737257DD293A20409E92BE49F

ike 0:fil_e2-dat_e1:370440: sent IKE msg (P1_RETRANSMIT): <ip_of_fgt>:4500-><ip_of_remote_end>:4500,

len=108, id=b877b4a9173e298a/8596bd5f7895eda3

ike 0: comes <ip_of_remote_end>:500-><ip_of_fgt>:500,ifindex=8.... ike 0: IKEv1

exchange=Informational id=b877b4a9173e298a/8596bd5f7895eda3:b2ceacff len=76

ike 0: in B877B4A9173E298A8596BD5F7895EDA308100501B2CEACFF0000004CCB36F2BBBBA0B1EB465A94AD5B3C347CF

5719D40CD

84EDC1F89F2B8A518FF5753DBF071BAEBF7E8C7AA64DDFA7B68C28

ike 0:fil_e2-dat_e1:370440: dec B877B4A9173E298A8596BD5F7895EDA308100501B2CEACFF0000004C690B44395B1CCA084B8C0A9E0DBF58D40264AF8777

D14A8A9B738D985820CB60E70445BA106B2CE01E97F069B559A7A0

 

To stop the debugs:

 

diagnose debug disable
diagnose debug reset

 

This is because FortiGate is behind a NAT device with a private IP on a WAN interface. This does not match on the pfSense side. To fix this, change the 'Peer identifier' on pfSense to 'IP address' and specify the private IP on the WAN interface of FortiGate.


pfsese.png

 

Related document:

pfSense documentation on IPsec VPN configuration
3234
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.