Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JCPL
Staff & Editor
Staff & Editor

Created on ‎09-05-2024 10:39 PM Edited on ‎08-04-2025 11:01 PM By Moderator

Article Id 339424

Troubleshooting Tip: IPsec VPN with Sophos is not working

Description This article describes workarounds when a VPN tunnel cannot be established between a FortiGate and Sophos.
Scope FortiGate.
Solution

After configuring both using IKE v1, it is verified that the configuration is correct on both sides. However, phases 1 and 2 are still down.

If there are no restrictions in the tunnel configuration, change the IKE version from 1 to 2.

 

For configuring FortiGate and Sophos using IKE v2, refer to the following document: Technical Tip: Set up IPsec VPN between FortiGate and Sophos XG using IKEv2.

 

If the tunnel is still down after configuring both devices correctly, run the following commands:

 

diagnose debug disable

diagnose debug reset

diagnose vpn ike log filter clear

diagnose vpn ike log filter rem-addr4 <Public IP>  <----- Sophos public IP.

diagnose debug application ike -1

diagnose debug enable

 

Notes:

  • If firmware older than v7.4.0 is being used, such as v7.2, v7.0, or v6.X, use the 'diagnose vpn ike log-filter dst-addr4' command instead of 'diagnose vpn ike log filter rem-addr4'.
  • Starting from v7.4.1, the  'diagnose vpn ike log filter dst-addr4command has been changed to 'diagnose vpn ike log filter rem-addr4'.

 

If the following error is encountered when running the debug:

 

ike 0: IKEv2 exchange=AUTH_RESPONSE id=554498e2804b4c46/9352e4e98f9c4c1a:00000001 len=72
ike 0: in D4A1F7692BCDE5A453EF234D14B7891E2F213450123456780123D561234A1BC97543EF98A5

6C9D8A43BC5D9A79C5B7A42BDFE498DC3AFDB10C23456789ABCDEF0
ike 0:IPSECVPN_Test:1535625: dec 65D3AE182A9BF8E453CD353C74A2861E2E2023200000000100000028290000040000000801000018
ike 0:IPSECVPN_Test:1535625: initiator received AUTH msg
ike 0:IPSECVPN_Test:1535625: received notify type AUTHENTICATION_FAILED

 

If the IKE debug message shows a 'malformed responder cookie', verify whether the FortiGate has a local ID configured and whether the Sophos device has the corresponding peer ID set correctly.

 

Make the following changes:

 

  1. FortiGate:

 

config vpn ipsec phase-interface

    edit " Tunnel"
        set localid-type address
        set localid 79.88.88.88 <- Public IP address of the FortiGate.
end

 

Note:

  • The default local ID (string) on IPsec for FortiGate is the IP address of the interface to which the IPsec tunnel is bound
  • The FortiGate is sending a string when the local ID is set to type auto, which is not understandable by the remote device, which is why it is recommended to change the localid-type to address.

 

  1. Sophos: Configure the remote ID to identify the remote clients, select the IP Address option, and enter the FortiGate public IP address.

 

1.PNG

 

After the changes, the authentication error will be fixed, and both phases of the tunnel will be up.

Note: Authentication failure can also be related to pre-shared key (PSK) mismatch.
2373
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.