IKEv2 troubleshooting
FG-86 Configuration: object for remote subnet, specify tunnel interface and enabled "Static route configuration" Create static route with Named Address FG-86 is initiator, capture on FG-86 before VPN is configured on FG-84 When FG84 configured VPN with mismatch Phase 1 proposal Both ends keep sending INIT_SA, no notification packets. GUI log has no proposal detail, only can bee seen from debug # diagnose vpn ike log-filter dst-addr4 192.168.2.84 # diagnose debug application ike -1 # diagnose debug enable After fix phase 1 mismatch on FG84, but have phase 2 mismatch, we see Phase 1 is up GUI log has phase 2 error only debug has proposal detail When Pre-shard key mismatch, phase 1 is down. GUI log: debug messages https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPsec-VPNs-tunnels/ta-p/195955 ========================= ASA <> Fortigate Pre-share key mismatch Fortigate is initiator ASA : %ASA-4-750003: Local:192.168.2.50:500 Remote:192.168.2.33:500 User