Once both ends are configured, you can test the VPN tunnel.
To test the VPN initiated by branch_2
- On branch_2, go to VPN > Monitor > IPsec Monitor.
All IPsec VPN tunnels will be listed on this page, no matter if they are connected or disconnected.
- Select the tunnel listed for branch_2, and select the status column for that entry.
The status will say Bring Up and remote port, incoming and outgoing data will all be zero. This indicates an inactive tunnel. When you select Bring Up, the FortiGate will try to set up a VPN session over this tunnel. If it is successful, Bring Up will change to Active, and the arrow icon will change to a green up arrow icon.
- If this does not create a VPN tunnel with increasing values for incoming and outgoing data, you need to start troubleshooting:
To test the VPN initiated by branch_1
- On branch_1, go to VPN > Monitor > IPsec Monitor.
- Select the tunnel listed for branch_1, and select the status column.
The difference between branch_2 and branch_1 at this point is that the tunnel entry for branch-1 will not have a remote gateway IP address. It will be resolved when the VPN tunnel is started.
- If this does not create a VPN tunnel with increasing values for incoming and outgoing data, you need to start troubleshooting.
Some troubleshooting ideas include:
- If there was no entry for the tunnel on the monitor page, check the Auto Key (IKE) page to verify the Phase 1 and Phase 2 entries exist.
- Check the security policy or policies, and ensure there is an outgoing policy as a minimum.
- Check that you entered a local ID in the Phase 1 configuration, and that branch_1 has the same local ID.
- Ensure the local DNS server has an up-to-date DNS entry for exmaple.com.
For more information on VPN troubleshooting and testing, see Logging and monitoring.