Troubleshooting Tip: Site-to-Site IPsec VPN phase 1 not forming despite same SA on both local and remote site

Oscar_Wee · ‎03-20-2025

Description

This article describes resolving Site-to-Site IPsec VPN phase 1 not forming despite the same SA.

Scope

FortiGate.

Solution

To troubleshoot this, make sure firewall policy/policies is/are configured to allow bi-directional traffic from local to remote destinations is configured. It is quite common to omit firewall policy when configuring a Site-to-Site IPsec VPN without using the wizard.

Before the firewall policy is configured, phase 1 cannot be formed.

Phase 1not forming despite same SA settings on local and remote firewall.jpg

After the firewall policy is configured, phase 1 is formed.

phase 1 forming due to firewall policy configured.jpg

Result: Phase 1 is formed.

To better check IPSEC negotiation on the FortiGate, a debugging of the IKE daemon can be run. The below commands can be used:

diagnose vpn ike log-filter dst-addr4 <Remote_GW_IP>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

To disable:

diagnose debug disable
diagnose debug reset

If both sides are FortiGate Firewalls the debugging needs to be run on both of the devices to get a better overview of the negotiation.
Starting from FortiOS v7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

Related article:

Troubleshooting Tip: IPsec VPN tunnels

Troubleshooting Tip: Site-to-Site IPsec VPN phase 1 not forming despite same SA on both local and remote site

You are leaving our website