IPsec VPN Troubleshooting in Fortigate firewall -

Follow below steps to troubleshoot this kind of issue-

1. VPN Tunnel Issues:

• Frequent Tunnel Downtime: 

  • Use diagnose vpn tunnel list to check tunnel status.

  • Ensure correct pre-shared key to avoid PSK mismatch errors.

  • Clear existing VPN tunnels with diagnose vpn ike restart and diagnose vpn ike gateway clear.

2. SA Proposal Mismatch:

• Check and match the SA proposals on both ends of the VPN connection.

• Commands:

  • diag vpn ike log filter name <phase1-name>

  • diag debug app ike -1

  • diag debug enable

3. Phase 1 and Phase 2 Negotiation:

• Phase 1 Troubleshooting: 

  • Verify correct settings with diagnose debug disable and diagnose vpn ike log-filter clear.

  • Use diagnose debug app ike 255 to check the negotiation process.

• Phase 2 Troubleshooting: 

  • Ensure both ends have matching settings and proposals.

  • Check routing and enable/disable IPsec ASIC-offloading if necessary.

4. General VPN Troubleshooting Tips:

• Hardware Offloading:

  • Enable or disable IPsec ASIC-offloading with:bashCopy code config sys global set ipsec-asic-offload [enable|disable] end

• XAuth Configuration:

  • Try enabling XAuth for additional authentication if necessary.

5. NAT Devices:

• Adjust settings if there are NAT devices in the network path.

• Verify that NAT traversal is enabled and functioning correctly.

Example CLI Commands

1. PSK Mismatch Error:

2. SA Proposal Mismatch:

3. Clear Existing Tunnels:

4. Disable Debugging: