FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description The Fortigate IPsec VPN phase 1 is set to initiate the IKE SA negotiation by default. The option is available to disable it and respond only with the IKE SA initiation from remote peer side.
This article describes how to disable this option.
Solution In cases Fortigate is configured with third party vendor appliance or Fortigate site to site IPsec VPN and require to set it as response only.
It is requirement to set one side as response only and other side to initiate IKE SA negotiation. In the Fortigate the phase-1 settings for 'auto-negotiate' is by default enable. So the Fortigate will try to negotiate IKE Phase-1 SA.
Disable that option from the CLI.
# config vpn ipsec phase1-interface edit "VPN_Site_Site" set interface "port1" set keylife 28800 set peertype any set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 set auto-negotiate disable set remote-gw 10.x.x.x next end
After updating this configuration in the Phase1, Fortigate will wait for the IKE negotiation from the remote peer side.
About the phase-2 (Auto-negotiation) details, refer to attached KB article below.