Some vendors don't allow the IKE/VPN service by default on their interfaces, which means we cannot initiate a tunnel towards them, but they can initiate a tunnel and when we reply they will process that even if the service is not enabled on the interface.
For example, we use "set allowaccess ping https ssh http telnet" under Fortigate interface configuration to allow these services,lets say we don't have ping enabled under this interface, it means no one can ping us, but we can ping and it will work. I am talking about a similar option for ike/vpn on the watchguard side.
I think if you just clear the tunnel from Fortigate side, it will try to initiate a new tunnel , can you check if the "direction" becomes Initiator in Fortigate side? If we see the fortigate side as initiator then my theory is wrong and it could be some other issue.
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.