Description | This article describes workarounds for when a VPN tunnel cannot be established between a FortiGate and Sophos. |
Scope | FortiGate. |
Solution |
After configuring both using IKE v1, it is verified that the configuration is correct on both sides. However, phases 1 and 2 are still down. If there are no restrictions in the tunnel configuration, change the IKE version from 1 to 2.
For configuring FortiGate and Sophos using IKE v2, refer to the following document: Technical Tip: Set up IPsec VPN between FortiGate and Sophos XG using IKEv2
If the tunnel is still down after configuring both devices correctly, run the following commands:
diagnose debug disable diagnose debug reset diagnose vpn ike log filter clear diagnose vpn ike log-filter rem-addr4 <Public IP> <----- Sophos public IP. diagnose debug application ike -1 diagnose debug enable
Note: if firmware older than FortiOS 7.4 is being used, such as 7.2, 7.0, or 6.X: use the 'diagnose vpn ike log-filter dst-addr4' command instead of 'diagnose vpn ike log-filter rem-addr4'
If the following error is encountered when running the debug:
ike 0: IKEv2 exchange=AUTH_RESPONSE id=554498e2804b4c46/9352e4e98f9c4c1a:00000001 len=72 6C9D8A43BC5D9A79C5B7A42BDFE498DC3AFDB10C23456789ABCDEF0
Make the following changes:
config vpn ipsec phase-interface edit " Tunnel"
Configure the remote ID to identify the remote clients, select the IP Address option, and enter the FortiGate public IP address.
After the changes, the authentication error will be fixed and both phases of the tunnel will be up. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.