Created on
‎09-05-2024
10:39 PM
Edited on
‎08-04-2025
11:01 PM
By
Jean-Philippe_P
Description | This article describes workarounds when a VPN tunnel cannot be established between a FortiGate and Sophos. |
Scope | FortiGate. |
Solution |
After configuring both using IKE v1, it is verified that the configuration is correct on both sides. However, phases 1 and 2 are still down. If there are no restrictions in the tunnel configuration, change the IKE version from 1 to 2.
For configuring FortiGate and Sophos using IKE v2, refer to the following document: Technical Tip: Set up IPsec VPN between FortiGate and Sophos XG using IKEv2.
If the tunnel is still down after configuring both devices correctly, run the following commands:
diagnose debug disable diagnose debug reset diagnose vpn ike log filter clear diagnose vpn ike log filter rem-addr4 <Public IP> <----- Sophos public IP. diagnose debug application ike -1 diagnose debug enable
Notes:
If the following error is encountered when running the debug:
ike 0: IKEv2 exchange=AUTH_RESPONSE id=554498e2804b4c46/9352e4e98f9c4c1a:00000001 len=72 6C9D8A43BC5D9A79C5B7A42BDFE498DC3AFDB10C23456789ABCDEF0
If the IKE debug message shows a 'malformed responder cookie', verify whether the FortiGate has a local ID configured and whether the Sophos device has the corresponding peer ID set correctly.
Make the following changes:
config vpn ipsec phase-interface edit " Tunnel"
Note:
After the changes, the authentication error will be fixed, and both phases of the tunnel will be up. Note: Authentication failure can also be related to pre-shared key (PSK) mismatch. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.