I have 2 offices, Site A is Sophos and Site B is Fortigate. I have established Site-To-Site VPN for the two sites. The tunnel between the two sites is UP, but the Tunnel Interface IP cannot ping each other and the two sites cannot ping each other. The server under the site cannot ping the opposite endpoint. The following is relevant information:Site A (Sophos)WAN IP : 11.11.11.11LAN IP Subnet : 172.29.21.0/24, Server IP: 172.29.21.11 (LAN Gateway under Sophos Firewall)Tunnel Interface IP : 10.212.0.1/29Firewall Policy: Accept LAN(172.29.21.0/24) toVPN(10.210.101.0/24) Site B (Fortigate)WAN IP : 22.22.22.22LAN IP Subnet : 10.210.101.0/24, Server IP: 10.210.101.11 (LAN Gateway under Fortigate Firewall)Tunnel Interface IP : 10.212.0.6/29Static Route: 172.29.21.0/24 via interface S2S_DCOF_MFirewall Policy: Accept LAN(10.210.101.0/24) to S2S_DCOF_M(172.29.21.0/24) (Below Fortigate IPSec Tunnel Status) Here I'm using Route-based to establish a Site-To-Site VPN connection, I've also tried Policy-based, but neither worked, and I'm not sure if I'm missing any settings. I can't ping from the tunnel interface 10.212.0.1 to 10.212.0.6, nor does the reverse ping from 10.212.0.6 to 10.212.0.1. and i tried the mtr from server, according to the server's mtr tracking, the data will stop at Fortigate's LAN Gateway

New Member

Solved

Site-to-site VPN traffic between Sophos and Fortigate not be forwarded

Forum|Forum|1 year ago
October 14, 2024
8 replies
5186 views

I have 2 offices, Site A is Sophos and Site B is Fortigate. I have established Site-To-Site VPN for the two sites. The tunnel between the two sites is UP, but the Tunnel Interface IP cannot ping each other and the two sites cannot ping each other. The server under the site cannot ping the opposite endpoint.

The following is relevant information:
Screenshot 2024-10-14 at 7.09.38 PM.png
Site A (Sophos)

WAN IP : 11.11.11.11
LAN IP Subnet : 172.29.21.0/24, Server IP: 172.29.21.11 (LAN Gateway under Sophos Firewall)
Tunnel Interface IP : 10.212.0.1/29
Firewall Policy: Accept LAN(172.29.21.0/24) toVPN(10.210.101.0/24)

Site B (Fortigate)

WAN IP : 22.22.22.22
LAN IP Subnet : 10.210.101.0/24, Server IP: 10.210.101.11 (LAN Gateway under Fortigate Firewall)
Tunnel Interface IP : 10.212.0.6/29
Static Route: 172.29.21.0/24 via interface S2S_DCOF_M
Firewall Policy: Accept LAN(10.210.101.0/24) to S2S_DCOF_M(172.29.21.0/24)

(Below Fortigate IPSec Tunnel Status)

Screenshot 2024-10-14 at 7.06.17 PM.png

Here I'm using Route-based to establish a Site-To-Site VPN connection, I've also tried Policy-based, but neither worked, and I'm not sure if I'm missing any settings.

I can't ping from the tunnel interface 10.212.0.1 to 10.212.0.6, nor does the reverse ping from 10.212.0.6 to 10.212.0.1.

and i tried the mtr from server, according to the server's mtr tracking, the data will stop at Fortigate's LAN Gateway

Screenshot 2024-10-14 at 7.18.10 PM.png

Best answer by AEK

While pinging the destination, try the following commands to see if the packet flows through the right interfaces:

diag sniffer packet any "host x.x.x.x and icmp" 4

And try the below to see why it is blocked (if so):

diag debug flow filter addr x.x.x.x
diag debug flow filter proto 1
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable

dbhavsar

Staff

Hello @timchen ,

- Can you make sure your tunnel IP subnet is being allowed in Phase2 selector.

AEK

SuperUser

And in firewall policies as well, and from both sides.

AEK

timchenAuthor

New Member

In Fortigate, I have set up the Firewall Policy as follows, in which I include Interfaces using Zone.

Internal-LAN is server ip subnet interface, internal-S2S-OF is IPSec tunnel interface.

Screenshot 2024-10-14 at 8.20.35 PM.png

Sophos & Fortigate pretty much open up bidirectional firewall rules, except Sophos specifies the LAN IP and tunnel interface IP for both endpoints.

AEK

SuperUser

This troubleshooting tip shpuld help.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-with-Sophos-is-not-working/ta-p/339424

AEK

timchenAuthor

New Member

Hi @AEK

I conducted troubleshooting based on this document(https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSec-VPN-with-Sophos-is-not-working/ta-p/339424), and it seems that the IKE Phase1 & Phase2 processes are smooth and there are no errors.

below are logs:

ike V=root:0:S2S_DCOF_M: link is idle 7 x.x.x.x(Fortigate WAN IP)->y.y.y.y(Sophos WAN IP):0 dpd=2 seqno=340 rr=0 ike V=root:0: comes y.y.y.y(Sophos WAN IP):500->x.x.x.x(Fortigate WAN IP):500,ifindex=7,vrf=0,len=80.... ike V=root:0: IKEv2 exchange=INFORMATIONAL id=8fdf995bf1a69d32/290c6f562da113ca:0000002a len=80 ike 0: in 8FDF995BF1A69D32290C6F562DA113CA2E2025000000002A0000005000000034E994E227B57A748E3C828E5510C2B08CA88979C167810B9AFF0A50C6BA984305B308DA3ACA67E990112A881C7AFDDF43 ike V=root:0:S2S_DCOF_M: HA state master(2) ike 0:S2S_DCOF_M:15: dec 8FDF995BF1A69D32290C6F562DA113CA2E2025000000002A0000002000000004 ike V=root:0:S2S_DCOF_M:15: received informational request ike 0:S2S_DCOF_M:15: enc 0F0E0D0C0B0A0908070605040302010F ike 0:S2S_DCOF_M:15: out 8FDF995BF1A69D32290C6F562DA113CA2E2025280000002A000000500000003447D3FC98E47D420E5CEB95835779AFCBE67845F2E289A8639D2CC9A80897B7E26506A0C4477F635BFA6F2DAFF41F27E8 ike V=root:0:S2S_DCOF_M:15: sent IKE msg (INFORMATIONAL_RESPONSE): x.x.x.x(Fortigate WAN IP):500->y.y.y.y(Sophos WAN IP):500, len=80, vrf=0, id=8fdf995bf1a69d32/290c6f562da113ca:0000002a, oif=7

Lelle68

New Member

I would check the TTL and encryptions setting for phase1 and 2 matches between the two. I have stumbled over something similar between Sophos and Mikrotik. Tunnel was up but no traffic was forwarded

/Lennart

timchenAuthor

New Member

Checked that the TTL and encryption settings for Phase 1 and Phase 2 match between the two.
I captured the packet on Fortigate earlier, but I did not receive the ESP packet. I am checking the source of the problem in detail.

AEKAnswer

SuperUser

While pinging the destination, try the following commands to see if the packet flows through the right interfaces:

diag sniffer packet any "host x.x.x.x and icmp" 4

And try the below to see why it is blocked (if so):

diag debug flow filter addr x.x.x.x
diag debug flow filter proto 1
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable

AEK

timchenAuthor

New Member

Hi @AEK

Thank you for your help. Today, I conducted various checks again without changing any settings, and suddenly the tunnel started working, but I don't know why. I'm not sure if it's a bug in the Sophos Firewall or some issue with the internet line.

But all the setup steps should be correct.