I have to make site to site vpn with fortigate but when I make vpn wan interfaces stop pinging and tunnel interface also Down. Getting invalid id notification ipsec log. Phase 1 is up but error in phase 2.
Need help
Sounds like a routing issue.
Be sure to check the p2 aswell if you send more than one network it might need to be splitt up on more than one p2 or the other way around.
Cli configuration shows more that gui on the fortigate about trouble shooting p2.
Edit, would need more info about the routing and the ipsec to known your problem.
I had that problem today and I deleted all my vpn configuration and redid the site-to-site vpn that fortinet brings and with that it worked
When establishing an SA with a CP firewall, you need to explicitly map the security associations in your P2 config. Simply leaving them 0.0.0.0/0 and using routes on the FortiGate, or trying to group the IPs and use a named object group will fail as the CP is expecting separate P2 proposals for each SA pair.
Not sure if that applies in your case, but has caught me out in previous migrations.
Thanks it’s done with ipsec tunnel wizard and then convert to custom tunnel for ph1 n 2 proposals. Its working perfectly fine.
How are you defining the “interesting traffic” for the VPN? If you are specifying 0.0.0.0, you are probably taking your Internet down when the tunnel attempts to establish because all traffic is attempting to go over the tunnel.
Does the interface go down on the fortigate or the checkpoint?
Have you done a debug? It will tell you where the issue is.
Make the checkpoint the initiator and run the debug. the cli will tell you where the issue is.
This is something I have learned as well with S2S VPN’s between FortiGate to other vendor FW. I, however, found out this guide below and have tried it one time in an S2S VPN between FortiGate and Azure VNET VPN that is very unstable (drops every other minute) and this worked for me.
Guide : Technical Tip: Dynamic creation of IPsec tunnels (... - Fortinet Community
The scenario you are describing is possible only on a dialup tunnel hub (set type dynamic) if it is configured to inject received phase2 selectors into its routing table (set add-route enable; instead of running dynamic routing across).
This cannot happen on a dialup spoke, nor on either site-to-site-peer (set type dynamic).