Description | This article describes workarounds when a VPN tunnel cannot be established between a FortiGate and Sophos. |
Scope | FortiGate. |
Solution |
After configuring both using IKE v1, it is verified that the configuration is correct on both sides. However, phases 1 and 2 are still down. If there are no restrictions in the tunnel configuration, change the IKE version from 1 to 2.
For configuring FortiGate and Sophos using IKE v2, refer to the following document: Technical Tip: Set up IPsec VPN between FortiGate and Sophos XG using IKEv2
If the tunnel is still down after configuring both devices correctly, run the following commands:
diagnose debug disable diagnose debug reset diagnose vpn ike log filter clear diagnose vpn ike log-filter rem-addr4 <Public IP> <----- Sophos public IP. diagnose debug application ike -1 diagnose debug enable
Notes:
If the following error is encountered when running the debug:
ike 0: IKEv2 exchange=AUTH_RESPONSE id=554498e2804b4c46/9352e4e98f9c4c1a:00000001 len=72 6C9D8A43BC5D9A79C5B7A42BDFE498DC3AFDB10C23456789ABCDEF0
Make the following changes:
config vpn ipsec phase-interface edit " Tunnel"
Note: The FortiGate is sending a string when the local ID is set to type auto which is not understandable by the remote device which is why it is recommended to change the localid-type to address.
After the changes, the authentication error will be fixed and both phases of the tunnel will be up. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.