Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
ssriswadpong
Staff & Editor
Staff & Editor

Created on ‎09-27-2020 06:47 PM Edited on ‎03-20-2025 06:16 AM By Community Manager

Article Id 191034

Technical Tip: How to troubleshooting IPsec VPNs on FortiProxy

Description

 

This article describes how to debug and troubleshoot IPsec VPN tunnels.

Almost of FortiProxy’s commands are same as FortiGate’s, but not for IPsec troubleshooting. FortiProxy has its own command.

 

Scope

 

FortiProxy.


Solution

 

The command is:

 

diagnose ipsec connect <phase1name> <phase2name>

 

In these examples, phase1name and phase2name are 'ipsecvpn'.

Example of output if VPN tunnel can establish:

 

diagnose ipsec connect ipsecvpn ipsecvpn
[ENC] generating QUICK_MODE request 3312549748 [ HASH SA No KE ID ID ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (492 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (444 bytes)
[ENC] parsed QUICK_MODE response 3312549748 [ HASH SA No KE ID ID ]
[IKE] received 28800s lifetime, configured 0s
[IKE] received 36908000 lifebytes, configured 36908748
[IKE] CHILD_SA ipsecvpn{4} established with SPIs c581cf90_i b7f42e3f_o and TS 10.207.0.0/22 === 10.237.0.0/22
[ENC] generating QUICK_MODE request 3312549748 [ HASH ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (76 bytes)

 

Initiatiation completed successfully.

Example of output if VPN tunnel cannot establish (retransmission):

 

diagnose ipsec connect ipsecvpn ipsecvpn
[IKE] initiating Main Mode IKE_SA ipsecvpn[35] to 10.177.1.188
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (560 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (188 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[IKE] received DPD vendor ID
[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
[IKE] received FRAGMENTATION vendor ID
[IKE] received FRAGMENTATION vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (396 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (380 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (92 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (380 bytes)
[IKE] received retransmit of response with ID 0, but next request already sent
[IKE] sending retransmit 1 of request message ID 0, seq 3

 

If the VPN tunnel cannot be brought up, check phase1/phase2 settings and make sure all parameters are correct and run debugs or check logs on the remote gateway to figure out the problem.

Other useful commands:

 

diagnose ipsec reload-ipsec
diagnose ipsec reload-ca

 

'reload-ipsec' is necessary after applying some changes on phase1 or phase2 settings.

To bring the tunnel down or up:

 

execute vpn ipsec tunnel down <phase1_name>

execute vpn ipsec tunnel up <phase1_name>

 

Labels:
3353
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.