Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
SuperUser
SuperUser

Created on ‎02-04-2025 05:59 AM

FortiManager IPSec provisioning templates - phase2 partly broken?

Heyho,

 

just ran into this:

 

On my FortiManager in an adom I added an IPSec VPN provisioning template in device manager. This has a phase1 and also a phase2. I had no problems with phase1. But I do have a big problem with phase2:

I need to enter the selectors (dst-subnet and src-subnet) and I do enter the correct ones. However it doesn't matter wether i input them in the form subnet/suffix or subnet,suffix. When I click apply it says its invalid.

If I create the phase2 without templete and the same subnets it works fine.

Any clues?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels:
176
0 Kudos
3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Created on ‎02-06-2025 10:12 PM

Hello :)!,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
139
Anthony_E
Community Manager
Community Manager

Created on ‎02-10-2025 05:45 AM

Hello,

 

I hope you are doing well.

 

I have the answer to troubleshoot an issue where the IPsec phase 2 is partly broken in FortiManager's IPsec provisioning templates:

  1. Check the IPsec template configuration in FortiManager to ensure all phase 2 settings are correctly defined.
  2. Verify that the IPsec template is properly assigned to the device in question.
  3. Review the device's configuration status in FortiManager to see if any errors or inconsistencies are reported.
  4. If the phase 2 settings are not being applied correctly, consider un-assigning the IPsec template from the device and then re-assigning it.
  5. After making any changes, install the modified device configuration to ensure the correct phase 2 settings are pushed to the device.
Anthony-Fortinet Community Team.
105
0 Kudos
sw2090
SuperUser
SuperUser

Created on ‎02-12-2025 05:05 AM

This is due to the irritating way of FMG displaying the selectors in a template:

FMG itself in a template lists selectors in format <subnet>,<mask> but it doesn't accept this format as input. You have to input <subnet> <mask> or maybe <subnet>/<mask> to have it accepted but when you reopen the phase2 afterwards it is dispayes as <subnet>,<mask>.

There also is no notice around there which format you should enter.So you have to know it.

Only FortiNet know why they do different in template then in Device manager's VPN Settings....

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
81
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.