Skip to main content
fesch
fesch
New Member
September 13, 2021
Solved

Error on Site2Site IPsec between Fortigate and Sophos XG

  • September 13, 2021
  • 1 reply
  • 4352 views

Hello all,

I have a faulty VPN configuration on an IPsec connection between a Fortigate and a Sophos XG to which I cannot find a solution. I have connected several subnets via the VPN: Fortigate: 

xx.xx.11.0/24
xx.xx.6.0/24

XG: 

xx.xx.100.0/24
xx.xx.2.0/24
xx.xx.0.0/26

The connection is established and also works. However, an error is displayed on the Fortigate. The SAs between the firewalls are displayed with the following notation UP: Source: xx.xx.11.0-xx.xx.11.255 Destination: xx.xx.100.0-xx.xx.100.255, xx.xx.2.0-xx.xx.2.255, xx.xx.0.0-xx.xx.0.62 ....

The same SAs are displayed with a different notation than DOWN: Source: xx.xx.11.0/255.255.255.0 Destination: xx.xx.10.0/255.255.255.0, xx.xx.2.0/255.255.255.0,xx.xx.0.0/255.255.255.192

On the Sophos XG, all SAs are displayed UP.

Does anyone have an idea how I can eliminate this error? This permanently reports a faulty VPN tunnel to our monitoring system.

 

Best regards

 

Felix

    Best answer by Kangming

    You could try to configure multiple phase2 selectors, In your 2*3 subnet situation, you should configure 6 phase2 selectors to negotiate with Sophos XG.

     

    Refer to kb doc:

    https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33873&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=249206664&stateId=1%200%20249208254%27)

     

    1 reply

    Kangming
    Staff
    KangmingAnswer
    Staff
    September 13, 2021

    You could try to configure multiple phase2 selectors, In your 2*3 subnet situation, you should configure 6 phase2 selectors to negotiate with Sophos XG.

     

    Refer to kb doc:

    https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33873&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=249206664&stateId=1%200%20249208254%27)

     

    fesch
    feschAuthor
    New Member
    September 15, 2021

    Thanks for your answer Kangming, that worked. I had already used this solution with the previous Sophos product. So I could have thought of it myself ;)

    Terms & ConditionsAccessibility statement