Troubleshoot Fortigate IPsec VPN
================================

I have built quite a few IPsec client VPNs, and most go smoothly. During a recent deployment, building an IPsec client vpn and using SAML for authentication, I ran into some rode blocks. 
These are the diagnostic tools I used to help weed out the problems. Ill include all the diagnostic commands first, then explain what every one does. ::

    diag debug reset
    fnsysctl killall iked
    diagnose vpn ike log-filter src-addr4 [ip]
    diagnose debug application ike -1
    diagnose debug application samld -1
    diag debug app fnbamd -1
    diag debug application eap_proxy -1
    diag debug enable

| Now, lets go through these line by line
| ``diag debug reset``: resets all debug configs, in case any were currently running.
| ``fnsysctl killall iked``: This kills the IKE process on the system. This is useful to clear out any hairballs that may be lurking. Similar to pkill.
| ``diagnose vpn ike log-filter src-addr4 [ip]``: Specifies the source address we wish to see logs for in our debug console.
| ``diagnose debug application ike -1``: Sets IKE (the protocol behind IPsec) to debug mode.
| ``diagnose debug application samld -1``: Sets SAML to debug mode. Useful if using SAML authentication, does not make a difference otherwise.
| ``diag debug app fnbamd -1``: Sets fndbam to debug mode. Fnbdam is for debugging RADIUS, LDAP, and TACACS authentication.
| ``diag debug application eap_proxy -1``: Sets EAP Proxy to debug mode. This is the authentication proxy, where the fortigate is not preforming the authentication.
| ``diag debug enable``: Enables debug mode.
| ``diag debug disable``: Once complete disables the debug messages from going to console. All messages will auto stop after 30 minutes.