# diagnose ipsec connect <phase1name> <phase2name>In these example phase1name and phase2name are 'ipsecvpn'.
FortiProxy # diagnose ipsec connect ipsecvpn ipsecvpnInitiate completed successfully.
[ENC] generating QUICK_MODE request 3312549748 [ HASH SA No KE ID ID ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (492 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (444 bytes)
[ENC] parsed QUICK_MODE response 3312549748 [ HASH SA No KE ID ID ]
[IKE] received 28800s lifetime, configured 0s
[IKE] received 36908000 lifebytes, configured 36908748
[IKE] CHILD_SA ipsecvpn{4} established with SPIs c581cf90_i b7f42e3f_o and TS 10.207.0.0/22 === 10.237.0.0/22
[ENC] generating QUICK_MODE request 3312549748 [ HASH ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (76 bytes)
FortiProxy # diagnose ipsec connect ipsecvpn ipsecvpnIf VPN tunnel cannot be brought up, please check phase1/phase2 settings and make sure all parameters are correct and run debug or check log on remote gateway to figure out the problem.
[IKE] initiating Main Mode IKE_SA ipsecvpn[35] to 10.177.1.188
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (560 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (188 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
[IKE] received NAT-T (RFC 3947) vendor ID
[IKE] received DPD vendor ID
[ENC] received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
[IKE] received FRAGMENTATION vendor ID
[IKE] received FRAGMENTATION vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (396 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (380 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 10.177.1.246[500] to 10.177.1.188[500] (92 bytes)
[NET] received packet: from 10.177.1.188[500] to 10.177.1.246[500] (380 bytes)
[IKE] received retransmit of response with ID 0, but next request already sent
[IKE] sending retransmit 1 of request message ID 0, seq 3
# diagnose ipsec reload-ipsec'reload-ipsec' is necessary after applying some changes on phase1 or phase2 settings.
# diagnose ipsec reload-ca
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.