Hi Julian, > Mon, 2019-10-14 17:16 07[JOB] <1> deleting half open IKE_SA with > 123.123.123.123 after timeout
This means the IKE_AUTH message somehow doesn't get through. Either because required UDP ports (4500) are blocked, or the message is too large and gets fragmented (IP fragments are often dropped on the way). If you can't use IKEv2 fragmentation (not sure if Fortigate supports it), there isn't much you can do (using smaller certificates or not sending them are some of the possible workarounds). Regards, Tobias
