Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.

Do I need a policy entry to permit IPSec underlay traffic to connect

Hi have a 40F with a new IPsec VPN configured.

The tunnel is not up and the sniffer shows no traffic going to the internet to the tunnel DID.

The tunnel setup traffic e.g. IKE would be originated by the 40F itself.

Do I need a policy entry to allow this traffic out?



Hello slouw,


Yes, you typically need a policy entry to permit IPSec underlay traffic to connect, specifically allowing the traffic necessary for the establishment and maintenance of the VPN tunnel.


Hope the below document guide helps:



Shilpa C.P


Thanks @Shilpa1 
I see in your link here:
VPN > IPSec VPNs > General IPSec VON Config > Blocking Unwanted IKE/ESP Packets

That I presume you agree is not what I need?
If I were to create a policy rule what source interface should I specify?


Hello slouw, 

You can  check with the sniffer command if ESP packets are leaving the FGT itself. If you have NAT-T disabled you should be able to capture the traffic with the below command:
diag sniffer packet any "port 500" 4 0 l 
In case you have multiple tunnels you can also add the remote gw ip as a filter in the sniffer
e.g diag sniffer packet any "host x.x.x.x and port 500" 4 0 l. 
If you see only "out" packets but no "in" run the same sniffer on the remote side and check if anything is being received on the remote side. 
IKE debug on both sides should show relevant information also: 
diagnose vpn ike log-filter dst-addr4 <Remote-GW>
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

Starting from FortiOS 7.4.1, the 'diagnose vpn ike log-filter dst-addr4' command has been changed to 'diagnose vpn ike log filter rem-addr4'.

Hope this can be of help.


Thanks I ran a sniffer trace and I am satisfied no IKE messages are being initiated.
I must have configured the tunnel incorrectly but not sure how.
Here is the tunnel config.
I can ping the far end underlay address from the CLI.
The wan interface is internet facing.
I need to work out what policy rule would work see post above...

FG40-Lab-6954S (pri_bms) # show
config system interface
edit "pri_bms"
set vdom "FG-traffic"
set vrf 1
set ip
set allowaccess ping
set type tunnel
set remote-ip
set snmp-index 17
set interface "wan"


Hi @slouw,


If the tunnel is not up, you need to run ike debug as mentioned by ezhupa. Please refer to



Top Kudoed Authors