Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiGate to Sonicwall IPSec VPN

I have to set up a IPSec VPN between a VLAN on one site ( and a Sonicwall on another site (


I have followed this article and the VPN will not come up, any ideas please?;documentID=FD33903


debug the VPN communications to see what's going on


Use these CLI commands

#diag deb app ike 255 <sonicwall IP>

#diag deb en


Then attempt to bring up the tunnel from the Sonicwall side.  This will show the negotiation proposals that are being presented by the Sonic wall, and you can compare then to what is configured on the FortiGate to fine the discrepency.

New Contributor III

Actually the debug commands you have given are outdates (pre 4.x)


the right command is

dia deb en

dia vpn ike log-filter dst4 <ip-address)

dia deb app ike 255


Rackmount your Fortinet -->


Rackmount your Fortinet -->
Esteemed Contributor III

Actually those commands are not outdate and the right syntax is ;


diag vpn ike log-filter  dst-addr4


I do agree tho,  you need to diag  the ike , but in the mean time can you  provide



show vpn ipsec phase1-interface

show vpn ipsec phase2-interface


( you did do a interface mode vpn right ; ) ? )



On your dell sonicwall can you provide us the exact cfg that you deployed?


[size="3"][size="3"]show vpn sa ike[/size][/size]

show vpn policy

show vpn sa


You need to ensure the phase1 authen and PSK match and the exact proposals. I would limited or restrict multiple proposals.

for the phase2 proxy-ids they need to exactly match src/dst  and dst/src respectively on each device.






PCNSE NSE StrongSwan
New Contributor III

Hi Emnoc, I believe we state the same thing:


dia deb app ike <ip address>  is really outdated. :)



Rackmount your Fortinet -->


Rackmount your Fortinet -->
Contributor II

On Sonicwall side, you need use site-to-site VPN instead "Tunnel Interface". The Fortinet KB are wrong about this.


I have a scenario with Fortigate 1000D and 70 Sonicwall TZ using IPSec VPN among them.




Paulo Raponi

Regards, Paulo Raponi

Regards, Paulo Raponi



kb talks about route based vpn beteen fgt and sonicwall. You have other options apart from route based vpn. 

You need to collect the following commands output to understand whats the issue.


-you can debug the ike (isakmp packets) from fgt diag debug rest diag debug console timestamp enable diag vpn ike log-filter dst-addr4 <sonicwall_public_IP> diag debug app ike -1 -vpn configuration. 


-to stop the debug

diag debug disable 

diag debug reste





Top Kudoed Authors