FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JCPL
Staff
Staff
Article Id 339424
Description This article describes workarounds for when a VPN tunnel cannot be established between a FortiGate and Sophos.
Scope FortiGate.
Solution

After configuring both using IKE v1, it is verified that the configuration is correct on both sides. However, phases 1 and 2 are still down.

If there are no restrictions in the tunnel configuration, change the IKE version from 1 to 2.

 

For configuring FortiGate and Sophos using IKE v2, refer to the following document:

Technical Tip: Set up IPsec VPN between FortiGate and Sophos XG using IKEv2

 

If the tunnel is still down after configuring both devices correctly, run the following commands:

 

diagnose debug disable

diagnose debug reset

diagnose vpn ike log filter clear

diagnose vpn ike log-filter rem-addr4 <Public IP>  <----- Sophos public IP.

diagnose debug application ike -1

diagnose debug enable

 

Note: if firmware older than FortiOS 7.4 is being used, such as 7.2, 7.0, or 6.X: use the 'diagnose vpn ike log-filter dst-addr4' command instead of 'diagnose vpn ike log-filter rem-addr4'

 

If the following error is encountered when running the debug:

 

ike 0: IKEv2 exchange=AUTH_RESPONSE id=554498e2804b4c46/9352e4e98f9c4c1a:00000001 len=72
ike 0: in D4A1F7692BCDE5A453EF234D14B7891E2F213450123456780123D561234A1BC97543EF98A5

6C9D8A43BC5D9A79C5B7A42BDFE498DC3AFDB10C23456789ABCDEF0
ike 0:IPSECVPN_Test:1535625: dec 65D3AE182A9BF8E453CD353C74A2861E2E2023200000000100000028290000040000000801000018
ike 0:IPSECVPN_Test:1535625: initiator received AUTH msg
ike 0:IPSECVPN_Test:1535625: received notify type AUTHENTICATION_FAILED

 

Make the following changes:

 

  1. FortiGate:

 

config vpn ipsec phase-interface

    edit " Tunnel"
        set localid-type address
        set localid 79.88.88.88 <- Public IP address of the FortiGate.
    end

 

  1. Sophos:

Configure the remote ID to identify the remote clients, select the IP Address option, and enter the FortiGate public IP address.

 

1.PNG

 

After the changes, the authentication error will be fixed and both phases of the tunnel will be up.