IPSec Tunnel Not Coming Up
Use this guide when the VPN tunnel stays down, Phase 1 never completes, or Phase 2 fails after initial negotiation.
Common Symptoms
- Tunnel remains down on one or both sides.
- Peer device is reachable but no VPN comes up.
- Phase 1 starts but Phase 2 does not establish.
- No traffic passes between the remote subnets.
What To Check First
- Peer public IP is reachable.
- Correct pre-shared key is configured on both devices.
- Phase 1 proposals match.
- Phase 2 selectors or proxy IDs match.
- NAT is not interfering with interesting traffic.
Useful Cisco Commands
show crypto ikev2 sa
show crypto ipsec sa
show run | section crypto
show access-lists
Useful FortiGate Commands
diagnose vpn ike gateway list
diagnose vpn tunnel list
diagnose debug application ike -1
diagnose debug enable
Step-by-Step Troubleshooting
- Ping the remote peer public IP address.
- Verify the outside interface and peer IP on both sides.
- Compare Phase 1 settings: encryption, authentication, DH group, lifetime.
- Compare Phase 2 settings: local subnet, remote subnet, proposals, PFS.
- Check whether NAT is accidentally applied to VPN traffic.
- Enable debug and watch where negotiation fails.
Example Debug Flow
# FortiGate
diagnose debug reset
diagnose debug application ike -1
diagnose debug enable
# Generate traffic from one side
ping 10.10.20.10
# Then disable debug after collecting output
diagnose debug disable
Common Root Causes
- Wrong pre-shared key
- Proposal mismatch between peers
- Incorrect local or remote subnet definitions
- NAT applied before encryption
- Peer IP changed or wrong interface selected
Expected Result
A healthy VPN should show active IKE and IPsec security associations, and traffic between the configured subnets should pass successfully.