Troubleshooting IPSec VPN Tunnel on Fortigate

One common issue with connections from remote branches to the central office or Data Center is the IPSec VPN tunnel between Fortigate devices.

This VPN connection is crucial because if the tunnel is down, routing and SD-WAN cannot function on top of it. This article provides a straightforward guide for troubleshooting such issues.

Prerequisites

What you’ll need:

• IP addresses of the relevant Fortigate devices and their SSH or Web UI ports if necessary.
• Credentials for accessing each device.

Procedure

To check the status of the IPSec tunnel via the UI on the Fortigate Hub, navigate to Dashboard → IPSec Monitor (you can add this via the + button at the bottom if it’s not visible in your account).

Look for a tunnel with the target branch’s name under Name or the Peer ID, depending on whether the configuration uses IKE Version 2 or Version 1. Ensure the tunnel is up for both Phase 1 and Phase 2.

If the IPSec is down, the potential causes include:

• Unstable connectivity between the Spoke and Hub.
• Misconfiguration of the IPSec settings on the Fortigate Hub.

To compare configurations between the Hub and Spoke, use the following commands on the CLI of either device:

show vpn ipsec phase1-interface <VPN_INTERFACE_NAME>
show vpn ipsec phase2-interface <VPN_INTERFACE_NAME>

Ensure that:

• The interface used has an IP address that matches the remote IP of its counterpart;
• The psksecret is correct;
• Other configurations align, especially regarding protocols and security standards.

If the configuration appears correct but the tunnel remains down, the issue might be an unstable connection between the Hub and Spoke. Verify connectivity using ping and traceroute from each Fortigate device:

exec ping <REMOTE_IP>
exec traceroute <REMOTE_IP>

If the connection is stable but the tunnel is still down, try restarting the tunnel session from the CLI of the Spoke Fortigate:

diag vpn ike gateway clear
diag sys session clear

Keep in mind that just because ping and traceroute work doesn’t guarantee a functioning VPN connection. IPSec relies on UDP traffic over uncommon ports (UDP 500 and 4500), which might be blocked by some ISPs.

Summary

In short, here’s what to check:

• Ensure the devices can communicate with each other via public IP;
• Verify that IPSec configurations on both devices are correct;
• If everything checks out but the connection is still down, restart the session for the tunnel;
• If it still doesn’t work: pray.

References

• Troubleshooting IPsec Site-to-Site Tunnel… - Fortinet Community
• IPsec VPN tunnels - Fortinet Community