Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 5082 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't establish a IPSEC tunnel btw Sophos XG and Fortigate

Luis Antonio Usquiano

Hello there.
I have doing some labs and until now I have achieved to make a Sophos-Sophos and Forti-Forti Ipsec tunnel. However I am trying to make a Sophos XG-Fortigate IPSEC tunnel but my tunnel does not wake up.

I have followed this guide and configure my tunnel according to it.

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Establish-IPsec-VPN-Connection-between-Sophos-and-Fortigate-with-IKEv2.pdf

Can you help me to fix this?



This thread was automatically locked due to age.
  • 0 in reply to LHerzog

    hello, we have this


    We have also tried to make a new IKEV2 profile using only these numbers

    but its not working also.

  • 0 in reply to Luis Antonio Usquiano

    looks OK.

    have you checked the text logs both machines? do they even reach each other?

    on XG side you find IPSec logs here: /log/strongswan.log

    what do you find there when you stop and start the tunnel on XG?

  • 0

    Hi Luis Antonio Usquiano

    192.168.0.2 is private network did you allowed 500 port on your upstream router ?

    check tcpdump 

    Go to SSH option 4

    console>tc 'port 500

    Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    hello
    i have created a dmz on my routing targeting my sophos WAN interface

    so all the ports are opened

  • 0 in reply to Luis Antonio Usquiano

    share tcp dump 

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi @Luis Antonio Usquiano,

    On XG, check /log/charon.log (from CLI), if you see only below log if the IPsec tunnel is set to Initiator, most likely some configs need to be checked on Fortigate; even with single config missing on Fortigate, it will not respond to the packet from XG.

    sending packet: from <ip address of XG>[500] to <ip address of Fortigate>[500]

    On Fortigate, Your policy config(these are the packet forwarding rules) should look like below:

    Policy & Objects: IPv4 policy: 

    Incoming interface: LAN port of Fortigate where 192.168.100.0/24 is configured.

    Outgoing interface: WAN port of Fortigate talking to XG

    Action: this should have IPSec option, once IPsec is chosen, you will be prompted to enter the tunnel name - chose the tunnel name; also turn ON 'Allow traffic to be initiated from remote side' option (this will serve as packet filtering policy from WAN to LAN side on Fortigate)

    To have IPsec option in the Action, Enable this on Fortigate:  From System : Feature Select : Additional Features : Policy-based IPsec VPN

  • 0 in reply to Luis Antonio Usquiano

    I believe Authentication failure is due to the below misconfig:

    I am assuming Fortigate (Initiator) is behind ISP (NAT router),  packet from Fortigate is with ip - 77.226.150.22 (this is the wan ip of Fortigate and also what you had configured on remote gw of SFOS) and Fortigate's internal ip (192.168.37.253) is being used as an id during authentication, but since id is not configured on SFOS, it says 'no matching confing found'

    On SFOS' IPsec config, set 'Remote ID type' to 'IP address' + 'Remote ID' to 192.168.37.253

    Also, keep NAT traversal enabled in the IPsec config (under Network) of Fortiage (not a strict recommendation, but advised)

    On Fortigate, you don't have UI option to set id, this has to be set via cli, you don't have to use these commands, but giving it for reference

    All the below CLIs are on Fortigate.

    # config vpn ipsec phase1

    (phase1) # edit <tunnel name>

    (tunnel name) # set localid-type address

    #show vpn ipsec phase1 <tunnel name>  --> this will tell what all the config present for IPsec tunnel

Unfiltered HTML