This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S IPSec with several IP / Subnet on both Side

Hello @all,

I have try to configure one S2S-IPSec Tunnel vom my Sophos UTM to a Fortingate FW with several singel IP Adresses Subnet one both Side an some are private and public IP's.

My UTM configuration example:

Connection Tab:
Local Netw. IP1: 10.130.x.1, IP2:10.131.x.1
Automatic FW Rule: I create own Rule (not Checked)
Strict Route: not Checked
Bind tunnel to local interface: active (test also with unchecked

Remote Connection Tab:
Gateway type: Initiate Connection
Gatewas: GW IP of Remote FW
Authentication type: PSK
VPN ID type: IP Adr-
VPN ID (optional):  Nothing
Remote Networks: Some IP (Public and Private IP) and one Subnet (Private)

Policies:
Komprimierung aus, strikte Richtlinie wird nicht verwendet.
IKE-Einstellungen: AES 256 / SHA2 256 / Gruppe 5: MODP 1536   Lebensdauer: 36000 Sekunden
IPsec-Einstellungen: AES 256 / SHA2 256 / Gruppe 5: MODP 1536   Lebensdauer: 3600 Sekunden

If i enable my IPSec tunnel I get this one:

Why is on the first connection no Policie and up and running connection?

The Remote FW says there are problem with phase 2 are found.

Can anyone help me with that?

may thanks

TBC



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Could you please confirm the phase-2 parameters for non-established SA at Fortingate end?

    Also, please run the below command in shell and re-establish the tunnel.

    utm:/root # tail -f /var/log/ipsec.log

    ==> If you have multiple tunnels configured, then grep ipsec.log with tunnel name.

    utm:/root # tail -f /var/log/ipsec.log | grep -i "<tunnel_name>"

    eg: utm:/root # tail -f /var/log/ipsec.log | grep -i "<T-COM-for>"

    Share the session output here or via PM.

  • Hello Yash Kothari,

    i have fixed the Problem. There are 2 Problem.

    1. on Fortinet we need to configure IKEv1 because Sophos can't v2, thats not really accaptable!!!

    2. I have to set up 2 Tunnels on Sophos site and several Phase 2 routes on Fortinet site in one Profile.

    Example:
    You have about 6 Systems, 4 one Site A are communicate to 4 on Site B
    2 on Site A are communicate to 4 on Site B

    Fortinet Site:
    IP_1 > IP_A
    IP_2 > IP_A
    IP_3 > IP_A
    IP_4 > IP_A
    IP_1 > IP_B
    IP_2 > IP_B
    IP_3 > IP_B
    IP_4 > IP_B
    and the next IP's or Subnets
    for the other 2 IP do the next, all of them has the same Policy and PSK and are configured on IPSec Profile in Fortinet.

    Sophos Site:
    one IPSec Tunnel for the 4 IP and one Tunnel for the last 2 Systems

    after that one it works.

    When is sophos fixing the problem to allow IKEv2??

    Many thank

    TBC

  • FormerMember
    0 FormerMember in reply to RemoHehlert

    There are currently no plans to integrate IKEv2 into Sophos UTM 9.

  • another unbelievable move by Sophos! :-(
    Sophos UTM = Security no thanks!

Reply Children
No Data