Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Oscar_Wee
Staff
Staff

Created on ‎02-16-2025 11:21 PM Edited on ‎03-17-2025 12:41 AM By Staff

Article Id 376899

Troubleshooting Tip: Site-to-Site IPsec VPN phase 2 not forming due to implicit deny, policy 0.

Description This article describes how to resolve Site-to-Site IPsec VPN phase 2 not forming due to implicit deny, policy 0.
Scope FortiGate.
Solution

To troubleshoot this, make sure the correct IP address is keyed into the firewall address.

 

Example of the problem:

 

wrong subnet.jpg

 

In this example:
10.2.71.0/24 has been wrongly configured in the firewall address. This will result in implicit deny, policy 0 as a destination has to be 10.3.71.0/24.

 

Solution:
Change the wrong subnet 10.2.71.0/24 to the correct subnet 10.3.71.0/24.

 

Result:
There is no more implicit deny, policy 0 detected in the forward log. Site-to-Site IPsec VPN phase 2 is formed.

 

Related article:

Troubleshooting Tip: IPsec VPN tunnels
563
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.