IPsec Site-to-Site VPN Palo Alto <-> FortiGate

This is a small tutorial for configuring a site-to-site IPsec VPN between a Palo Alto and a FortiGate firewall. I am publishing step-by-step screenshots for both firewalls as well as a few troubleshooting CLI commands.

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–


This is my basic laboratory for this VPN connection. I am using a Palo Alto PA-200 with PAN-OS 6.1.1 while the FortiWiFi 90D has v5.2.2 installed.

S2S VPN Palo Alto - FortiGate Laboratory

Palo Alto

The Palo Alto is configured in the following way. Please refer to the descriptions under the images for detailed information.

(And do not forget the “untrust-untrust” policy that allows ipsec!)


And this is the way for the FortiGate firewall:


Following are a few screenshots and listings from both firewalls concerning the VPN:

Palo Alto CLI:


FortiGate CLI:


8 thoughts on “IPsec Site-to-Site VPN Palo Alto <-> FortiGate

  1. We followed step by step for this lab set up and the tunnel isn’t even coming up. Do you have any suggestions that might be the reason for this?

    1. ;) You should at least tell me a bit more about your error logs, etc. Simply saying “it is not working – can you tell me the issue” is like “let me look into my crystal ball”…

      Please have a look at the log entries on both firewalls and try to find the issue then.

  2. The above steps are incomplete as you need to define the proxy ID’s, the peer and local id’s on the ike gateway and double check your IKE gateway on both sides, Fortigate does not like to negotiate child SA’s cleanly.

    Takes a while for the Fortigate to play nicely.

    Other than that, the article is a great step-by-step guide

    1. please could you explain more detail. i’m using fortigate. and other site is using paloalto. how can i define the proxy id, peer, local id

      1. ??? What do you mean with more detail? Absolutely everything is explained in the screenshots above. ;)
        You MUST NOT define any proxy IDs. Everything is done with the routing!
        You also MUST NOT define the local id, if the VPN is between static IP addresses.

  3. Hi Johannes,

    were there any IPv4 policies created for the Fortigate firewall in your Site-to-Site setup?

  4. I’m also having an issue.

    have setup a VPN from my PA to a Fortigate FW in main mode. no proxy IDs, or local/remote IDs are used.

    here is the error:

    IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: x.x.x.x/32 type IPv4_address protocol 0 port 0, received remote id: x.x.x.x/32 type IPv4_address protocol 0 port 0.

    it feels like I’m hitting a policy-based VPN setup, but I’m assured it is a route-based setup. I’m not sure why it is complaining about the Proxy ID?

    any suggestions?

    1. Hey Justin,

      even if you’re using a “route-based” VPN, proxy IDs of type (or ::/0 for IPv6) are announced. That is: Both firewalls implicitly list this entry when you’re not configuring anything else.

      Note that your error message looks like you have configured a proxy ID with It must be to have “any”. If you are not sure, configure a on BOTH firewalls.

      And keep on looking at the error logs on both firewalls as well. The better logs are generated at the receiving side, not at the initiating side.

Leave a Reply

Your email address will not be published. Required fields are marked *