Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

Created on ‎01-21-2024 08:06 AM

Tunnel IPSEC in FortiGate

good morning friends.

I have configured an IPsec tunnel on my FW, however at first it was UP, after a few minutes the tunnel went down. The tunnel was raised manually then it fell in a few minutes and so on. What could be the problem? It has been validated that both computers have the same configuration.

Labels:
385
0 Kudos
5 REPLIES 5
esalija
Staff
Staff

Created on ‎01-21-2024 08:12 AM

Hi @unknown1020 

 

Please run the IKE debug command while the issue is happening and check the output:

# diagnose debug reset

# diagnose vpn ike log-filter dst-addr4 <Remote_Peer_IP>

# diagnose debug application ike -1

# diagnose debug console timestamp enable

# diagnose debug enable

 

To disable :

# diagnose debug disable

# diagnose debug reset

 

For more details follow the KB step-by-step - > https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...

 

Best regards,

Erlin

376
0 Kudos
unknown1020
New Contributor III
In response to esalija

Created on ‎01-22-2024 11:07 AM

Friends, I managed to raise my tunnel, however when I ping the remote IP I have no response, what could be the problem?

IMG-20240122-WA0006.jpg

278
0 Kudos
sahmed_FTNT
Staff
Staff

Created on ‎01-21-2024 08:21 AM

Hello, kindly make sure the below options are configured to make sure tunnel remains up:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-the-IPSec-auto-negotiate-and-keepali...

Security all we want
371
0 Kudos
vbandha
Staff
Staff

Created on ‎01-21-2024 11:12 AM

Hello @unknown1020 

 

Also check Dead Peer Detection setting on both sides. 

Make sure it is set to 'On Demand' 

https://community.fortinet.com/t5/FortiClient/Technical-Tip-Configuring-DPD-dead-peer-detection-on-I...

 

Regards,

Varun

330
0 Kudos
salemneaz
Staff
Staff

Created on ‎01-21-2024 12:53 PM

Do a continuous ping to the remote IP address to make sure that it is remaining up, and also change the mode to aggressive.

 

config vpn ipsec phase1-interface
edit <name>
set mode [aggressive|main]

 

Article Reference:

---------------------------------

https://docs.fortinet.com/document/fortigate/7.0.1/cli-reference/368620/config-vpn-ipsec-phase1-inte...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Differences-between-Aggressive-and-Main-mo...

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPN-Phase-1-Process-Aggressive...

 

309
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.