DescriptionThe Fortigate IPsec VPN phase 1 is set to initiate the IKE SA negotiation by default.
The option is available to disable it and respond only with the IKE SA initiation from remote peer side.
This article describes how to disable this option.
SolutionIn cases Fortigate is configured with third party vendor appliance or Fortigate site to site IPsec VPN and require to set it as response only.It is requirement to set one side as response only and other side to initiate IKE SA negotiation. In the Fortigate the phase-1 settings for 'auto-negotiate' is by default enable. So the Fortigate will try to negotiate IKE Phase-1 SA. Disable that option from the CLI.# config vpn ipsec phase1-interface
edit "VPN_Site_Site"
set interface "port1"
set keylife 28800
set peertype any
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set auto-negotiate disable
set remote-gw 10.x.x.x
next
end
After updating this configuration in the Phase1, Fortigate will wait for the IKE negotiation from the remote peer side.
About the phase-2 (Auto-negotiation) details, refer to attached KB article below.
Related Articles
Technical Tip: Using the IPSec auto-negotiate and keepalive options
