Troubleshooting Tip: FortiGate and Sophos Firewall become responders in site-to-site IPSec VPN

In this setup, FortiGate and Sophos are configured as a Public IP Address for the VPN peer. Sophos is hardcoded as a responder while FortiGate passive mode is disabled but unable to form a phase 1 tunnel if the request comes from FortiGate. If traffic is initiated from Sophos, the phase 1 tunnel will be established.

Verify the phase 1 configuration and VPN ike gateway list on FortiGate:

show vpn ipsec phase1-interface

config vpn ipsec phase1-interface

    edit "test"

        set interface "port1"

        set ike-version 2

        set keylife 5400

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256

        set localid "test@mail.com"

        set dhgrp 14

        set nattraversal disable

        set remote-gw 200.2.2.1

        set psksecret ENC v9yzWrHhqJz8KUZzOpebX4FgvwtEQBGQz4Y4MvOLbO+jG6jYxhQg/zmDoNv2GcuAPWbIlyfxsd/mmrmp2uZQFFhUbOLjrLv6Y0SZzAPjUaB0CwjTosCu3jANhHFCdnORoihyDstOYAkGKtj7CeNr/OyshAq3RiHEM9J1MJthHdfLxj3BPvPa2pWCp8g3wwBv1IoBUQ==

    next

end

diagnose vpn ike gateway  list

vd: root/0

name: test

version: 2

interface: port1 3

addr: 200.1.1.1:500 -> 200.2.2.1:500

tun_id: 200.2.2.1/::200.2.2.1

remote_location: 0.0.0.0

network-id: 0

created: 19s ago

PPK: no

IKE SA: created 1/1

IPsec SA: created 1/1

  id/spi: 25 c30707ba82dc4fa1/0000000000000000

  direction: responder

  status: connecting, state 3, started 19s ago

Verify that the Sophos Gateway type is set to responder:

The following methods can be used to identify the issue:

1. Check the packet capture for phase 1.
   
   Here in the traffic captured for the VPN phase 1, FortiGate is sending the IKE_SA_INIT Request to Sophos but there is no response.

Run the IKE debug. It will be possible to see a lot of retransmittance. FortiGate is unable to reach the VPN peer. 

diagnose  debug application  ike -1

Debug messages will be on for 30 minutes.

diagnose  debug enable

ike 0:test:test: IPsec SA connect 3 200.1.1.1->200.2.2.1:0

ike 0:test:test: using existing connection

ike 0:test:test: config found

ike 0:test: request is on the queue

ike 0:test:632: out 96DCF78223C80F210000000000000000212022080000000000000180220000300000002C010100040300000C0100000C800E0100030000080200

0005030000080300000C000000080400000E28000108000E0000DBE6803F745EB58DD789DDECEDBAEDD80FDCB6FD3C2D3854E60CFAD6C1B2A802633DB4CBD84601F378C2

70BE723DED854B2AA401432E21B7FA70C598B030531C071B07B97A2445A1C839208C148DFC012181E984F104E3BFCC47D5846BC6AF9C1B7E88F90048D943A26AEE8686CE

0C570282B101B427A16852A22C8A80F93EB021E1584B46DB4AA3FD1FE8552E653B62E078A06AE2216EF6E06BDEB9BA5DDC6590FBD5F880006861EF069581B84F2A841762

115845AE5F1374C216777DCC224E1B28F9D14D23910F8AAA3A2B1F3FCACC751950589DD5ACEFEB68E748B8F4A948FF03B6D75EBA898AC34FFFBB569EE439C3F61D72D12A

637A23CB7FEE8B6AB2B9290000246C1FD497B94869013D9A4CCE5DE0F669B1D5FD46B628AB146F904FCE5D8C2A56000000080000402E

ike 0:test:632: sent IKE msg (RETRANSMIT_SA_INIT): 200.1.1.1:500->200.2.2.1:500, len=384, vrf=0, id=96dcf78223c80f21/0000000000000000

ike 0:test:test: IPsec SA connect 3 200.1.1.1->200.2.2.1:0

ike 0:test:test: using existing connection

ike 0:test:test: config found

ike 0:test: request is on the queue

ike 0:test:632: negotiation timeout, deleting

ike 0:test: connection expiring due to phase1 down

ike 0:test: deleting

ike 0:test: deleted

ike 0:test: schedule auto-negotiate

ike 0:test:test: IPsec SA connect 3 200.1.1.1->200.2.2.1:0

ike 0:test:test: config found

ike 0:test: created connection: 0xfa49b80 3 200.1.1.1->200.2.2.1:500.

ike 0:test: IPsec SA connect 3 200.1.1.1->200.2.2.1:500 negotiating

ike 0:test: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation

ike 0:test:633: generate DH public value request queued

ike 0:test:633: out 518F47DE3B55378A0000000000000000212022080000000000000180220000300000002C010100040300000C0100000C800E0100030000080200

0005030000080300000C000000080400000E28000108000E00003A43C9CE2C7933264BE95C2C91B93ED488F41F635F3807F082587B954FD9B7E9C94A7208B7CA05649D30

51531A18C838E8941BD3B7804DB877A540174FFA5207E4811F191C09BFD38076272B817ACC186E48446CB42E0C099546E1194015D559BDA342141FC9D6EE11F2A786B526

3E258F9F1146FDFF375A694032A11AB827DC6626A7FC616FF240BCEF3939A6C7A2B2CF520369640C31283DE60C1F3AF7295A9C8609029505405BDEE4F30B8C9CB6E03262

73CF2335DC2DBC03AAFE085BE426FCFCCBC3C098F704FEDFDAB6F63DCDA0D424B3515CC8DFFF0CAD692D151322C79B832701A5943E338B480DC2B87F70B433F0BA7EB930

E88FB97B1C37A850E50F29000024EF565A50A5A00C7E57D4D837BCD7DDCA9320B65D23F27A8B57F093B82630FBEE000000080000402E

2. Upon checking on the built-in packet capture on Sophos, Status Violation is observed with the Reason Local_ACL.

3. Sophos is set to responder but will initiate the request if the connection button is triggered. From Sophos, select the red Icon -> 'Ok' to initiate the connection.

After initiating the connection from Sophos, the connection was successfully established.

From the packet capture from FortiGate, the traffic was initiated from Sophos and has been accepted by FortiGate.

Confirm that the phase 1 tunnel is up in FortiGate.

Since phase 1 is successfully established when the IKE request is initiated from Sophos, the solution is to modify Sophos to become the initiator, 'double-click' the VPN name, or select the edit icon to modify the settings.

Change the Gateway Type from 'Respond only' to 'Initiate the connection' and select Save. Make sure 'Active on save' is enabled.

Related articles: