FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anandpatel
Staff
Staff
Description
The Fortigate IPsec VPN phase 1 is set to initiate the IKE SA negotiation by default.
The option is available to disable it and respond only with the IKE SA initiation from remote peer side.

This article describes how to disable this option.

Solution
In cases Fortigate is configured with third party vendor appliance or Fortigate site to site IPsec VPN and require to set it as response only.

It is requirement to set one side as response only and other side to initiate IKE SA negotiation.
In the Fortigate the phase-1 settings for 'auto-negotiate' is by default enable.
So the Fortigate will try to negotiate IKE Phase-1 SA.
 
Disable that option from the CLI.
# config vpn ipsec phase1-interface
    edit "VPN_Site_Site"
        set interface "port1"
        set keylife 28800
        set peertype any
        set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
        set auto-negotiate disable
        set remote-gw 10.x.x.x
    next
end
After updating this configuration in the Phase1, Fortigate will wait for the IKE negotiation from the remote peer side.

About the phase-2 (Auto-negotiation) details, refer to attached KB article below.

Related Articles

Technical Tip: Using the IPSec auto-negotiate and keepalive options

Contributors