Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 590 views
  • Users 0 members are here
Options
Suggested

Can't establish a IPSEC tunnel btw Sophos XG and Fortigate

Luis Antonio Usquiano

Hello there.
I have doing some labs and until now I have achieved to make a Sophos-Sophos and Forti-Forti Ipsec tunnel. However I am trying to make a Sophos XG-Fortigate IPSEC tunnel but my tunnel does not wake up.

I have followed this guide and configure my tunnel according to it.

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Establish-IPsec-VPN-Connection-between-Sophos-and-Fortigate-with-IKEv2.pdf

Can you help me to fix this?



Edited TAGs
[edited by: emmosophos at 5:00 PM (GMT -7) on 24 Jun 2024]
Parents
  • 0

    Hi @Luis Antonio Usquiano,

    On XG, check /log/charon.log (from CLI), if you see only below log if the IPsec tunnel is set to Initiator, most likely some configs need to be checked on Fortigate; even with single config missing on Fortigate, it will not respond to the packet from XG.

    sending packet: from <ip address of XG>[500] to <ip address of Fortigate>[500]

    On Fortigate, Your policy config(these are the packet forwarding rules) should look like below:

    Policy & Objects: IPv4 policy: 

    Incoming interface: LAN port of Fortigate where 192.168.100.0/24 is configured.

    Outgoing interface: WAN port of Fortigate talking to XG

    Action: this should have IPSec option, once IPsec is chosen, you will be prompted to enter the tunnel name - chose the tunnel name; also turn ON 'Allow traffic to be initiated from remote side' option (this will serve as packet filtering policy from WAN to LAN side on Fortigate)

    To have IPsec option in the Action, Enable this on Fortigate:  From System : Feature Select : Additional Features : Policy-based IPsec VPN

Reply
  • 0

    Hi @Luis Antonio Usquiano,

    On XG, check /log/charon.log (from CLI), if you see only below log if the IPsec tunnel is set to Initiator, most likely some configs need to be checked on Fortigate; even with single config missing on Fortigate, it will not respond to the packet from XG.

    sending packet: from <ip address of XG>[500] to <ip address of Fortigate>[500]

    On Fortigate, Your policy config(these are the packet forwarding rules) should look like below:

    Policy & Objects: IPv4 policy: 

    Incoming interface: LAN port of Fortigate where 192.168.100.0/24 is configured.

    Outgoing interface: WAN port of Fortigate talking to XG

    Action: this should have IPSec option, once IPsec is chosen, you will be prompted to enter the tunnel name - chose the tunnel name; also turn ON 'Allow traffic to be initiated from remote side' option (this will serve as packet filtering policy from WAN to LAN side on Fortigate)

    To have IPsec option in the Action, Enable this on Fortigate:  From System : Feature Select : Additional Features : Policy-based IPsec VPN

Children
No Data
Unfiltered HTML