Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 1900 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need to re-input the Pre-shared key to establish Sophos to FortiGate

Sandy Blaza

We had a fortigate (initiator) to sophos (respond) site to site vpn via IPsec, and we configure our fortigate firewalls via fortimanager script.

The issue is every time a branch/s (Fortigate) got disconnected, we are required to re-input the pre-shared key in Sophos firewall in order to re-establish. Re-freshing  or bring down/up the phases in fortigate is not working. 

Even for adding new site/branch (also using FortiGate), we need to re-input the pre-shared key in Sophos firewall to able to establish the IPsec.

Our set up in Sophos is:

Remote Address gateway:  *

We have 3 site to site IPsec VPN using same wan in listening interface.

Branch A:

Local Subnet:      Remote Subnet

10.20.30.x           192.168.10.x

10.30.40.x

10.40.50.x

Branch B:

Local Subnet:      Remote Subnet

10.20.30.x           192.168.20.x

10.30.40.x

10.40.50.x

Branch C:

Local Subnet:      Remote Subnet

10.20.30.x           192.168.30.x

10.30.40.x

10.40.50.x

Firmware version: v19.5.1



This thread was automatically locked due to age.
  • 0

    Try not to use * (Wildcard) for IPsec Site to Site connections. 

    Use a DDNS / Fixed IP as a remote gateway. 

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi : Thank you for reaching out to the Sophos community team, As you have set remote Gateway "*" in your current configuration, I hope you had set the same PKS for all such tunnels where you are setting up remote gateway * (including existing tunnels and upcoming new ones).

    As when you save or add new tunnels it will going to update PSK for all connections where the remote GW IP is set to the same, here in your case remote GW is *, so for all such tunnels, you must be required to use the same PSK and during saving tunnels or adding a new one you get below pop up as well which gives the same information.




    Note: In case you are already using the same PSK for all site-to-site tunnels where remote GW is * and still it is required to update PSK then please ensure on your existing XG/XGS if Sophos Remote access VPN or L2TP is configured with PSK method then please set the same PSK for them as well as that falls under such settings where Remote GW is * only.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Vishal_R

    Each site-to-site VPN is owned by a certain individual or organization, and we are required to establish it exclusively for the owner. That's why each IPsec site-to-site connection uses its own pre-shared key.

    Is there a way to do it?

  • 0 in reply to Sandy Blaza

    Hi   As  has mentioned if you do not want to use the same PSK then please use their actual remote GW IP or DynDNS in place of defining the same remote gateway "*" (any) for all of them to avoid this.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'Verify Answer' link.

Unfiltered HTML