The Fortigate 60D and 100D were used to build IPSec tunnel between two sites since last year. The Firmware version is 5.2.4 build 668. I were planning to upgrade Fortigate 100D to 5.4.1. The upgrade process were smooth but IPsec tunnel got broken after upgrade.

Fortigate60D IPSec Tunnel Configuration:

Fortigate100D I{Sec Tunnel Configuration:

Unfortunately, the tunnel between 60D and 100D failed to build after upgrade process rebooted the 100D. Based on following troubleshooting commands on 100D device, we found 100D ignored IKE request from 60D because of missing Phase2 proposal configuration.

diag debug reset
diag vpn ike log-filter clear
diag vpn ike log-filter dst-addr4
diag debug console timestamp enable
diag debug application ike -1
diag debug enable

I tried to put phase 2 on 60D firewall. It shows there is already phase 2 auto configuration from phase 1.

FW-60D(p2) #
name : p2
phase1name :
use-natip : enable
selector-match : auto
proposal : aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
pfs : enable
dhgrp : 14 5
replay : enable
keepalive : disable
auto-negotiate : disable
keylife-type : seconds
encapsulation : tunnel-mode
comments :
keylifeseconds : 43200

FW-60D (p2) #
set phase1name
<string> please input string value
f1-f2 phase1

60D (p2) # set phase1name f1-f2

60D (p2) # set selector-match
exact Match selectors exactly.
subset Match selectors by subset.
auto Use subset or exact match depending on selector address type.

60D (p2) # end
For autoconf-enabled phase1, a phase2 is already generated internally.
object set operator error, -5 discard the setting
Command fail. Return code -5

It seems 60D with firmware version 5.2.5 is still using auto-configured IPSec Phase2. But 100D has not had that configuration after upgrade to 5.4.1. Quickly I manually put phase 2 configuration in 100D, the tunnel is up right away.

It seems with newer Firmware version, FortiOS changed their default configuration on IPSec Phase 2. You will have to manually put phase 2 configuration into VPN.

By Jon

Leave a Reply