Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yns_sa
New Contributor

IPsec site to site Sophos Fortinet not established

Hi all, 

Does someone successfully setup IPsec vpn between Sophos and Fortigate. If somebody can post working configuration I would appreciate.

thank you all
19 REPLIES 19
vponmuniraj

Hi,

Looking at the debug, we can see P1_RETRANSMIT and timeouts. There are no responses from the peer for the 1st message or even the 1st message from peer did not reach FGT. 

 

Check if config is done on the peer and if ISP / any other device is blocking UDP 500. 

 

 

Regards,

Vignesh
yns_sa

Is the same result from sophos.by the way the Fg is paired by an other Fg correctly.and i succeed to peer this fortigate with Zyxel firewall.also the sophos with the Zyxel.

So that why i demand the correct configuration to peer sophos with Fg

seshuganesh

Seems like we are not getting response from sophos, are you observing same one side traffic in sophos also?

If so can you check with ISP and tell them there is only one way communication.

sagha
Staff
Staff

Hi, 

 

There seems to be an issue with communication between the two devices as we can see alot P1_Retransmits. You need to check if you have two way traffic between the FGT and remote host. 

 

Share the output of this command:

diagnose sniffer packet any "host 196.206.X.X and (port 500 or port 4500)" 4 0 l

 

On FGT, it appears that you are using Private IP on FGT and probably there is NAT in place on some other device. You will have to ensure that there is inbound NATing also configured so the traffic for IPsec is making to the FGT. 

 

Thank you. 

Shahan Agha

 

 

 

 

 

rarumugam
Staff
Staff

Hello yns_sa,

 

As per the logs , FortiGate is acting as the initiator where it starts the VPN negotiation by sending the 1st message of Phase-1. The below is the snippet,

 

ike 0:vpn_sophos:52504: initiator: main mode is sending 1st message...
ike 0:vpn_sophos:52504: cookie 512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out

ike 0:vpn_sophos:52504: sent IKE msg (ident_i1send): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000

 

However, there are no response from the peer end (i.e. Sophos). Hence the negotiation times out/fails after few retries.

 

ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000 >>> retry/retransmit

 

ike 0:vpn_sophos:52503: negotiation timeout, deleting
ike 0:vpn_sophos: connection expiring due to phase1 down
ike 0:vpn_sophos: deleting
ike 0:vpn_sophos: deleted

 

There could be two possibilities,

1) Reachability issue between the two sites (FortiGate and Sophos)

2) Sophos not accepting the VPN message from FortiGate (could be due any proposal mismatch).

 

Possibility#1:

  • - Run packet capture at the Sophos to verify whether the VPN message sent from FortiGate is reaching its end or not.  If the messages are not received at the sophos end, then this indicates a connectivity problem between the sites.
  • -Ping Sophos VPN gateway IP- 196.206.X.X from FortiGate and check if it is pingable. If not, run a regular traceroute to 196.206.X.X from FortiGate to identify the hop on which the traffic is failing. Then check with the respective ISP to rectify the connectivity.
  • -Incase, the ping between two sites are successful but the VPN messages on UDP-500 from one end is not reaching the other. Then run a UDP traceroute from a PC behind FortiGate to Sophos IP on UDP port-500 to identify the hop on which the traffic is failing.
  • - You could use "udptrace.exe" tool for running UDP traceroute and it could be downloaded from "https://chrislloyd.co/udptrace/"

Possibility#2:

  • If the VPN messages are reaching the Sophos but it is not responding. Then make sure the phase1 proposals are same on both ends and check the sophos logs for more detailed reason.

 

 

Rambharathi Arumugam
sw2090
Honored Contributor

ok we see the FGT (re)transmitting messages to the Sophos but we do not see any response. This could mean - as Rambharati wrote - either there is some issue in reachability between FGT and Sopho. It could also mean that some error occured on the Sophos which prevents it from responding. 

This is a weak point in basic IPSec debugging (not Fortinet specific): if there is an error on one side, mostly the opposite site doesn't get the error but only no response from peer or similar.

So you might also check the logs on the sophos to see if it reported any error during negotiation...

One reason why I don't like to debug IPSec ;)


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

yns_sa
New Contributor

thank you now i have the following error :

Branch-Oncorad # ike 0:forti_sofos_vpn:forti_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:forti_sofos_vpn:forti_sophos: config found
ike 0:forti_sofos_vpn: created connection: 0x553f5d8 7 10.10.20.2->196.206.X.X:500.
ike 0:forti_sofos_vpn: IPsec SA connect 7 10.10.20.2->196.206.X.X:500 negotiating
ike 0:forti_sofos_vpn: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:forti_sofos_vpn:66050: out 28A194BA6754F0F000000000000000002120220800000000000001502200007C0200003C010100060300000C0100000C800E01000300000802000007030000080300000E0300000804000010030000080400001300000008040000150000003C020100060300000C0100000C800E01000300000802000006030000080300000D0300000804000010030000080400001300000008040000152800008C0015000001D77582AE9FC72290864DD9692983D2FC2C1377A58D8D9E028955A0836B9DFC60C34629A3CDCB62D484FF7242C0F1C6EFC4389746688EC63C450C99C19596A0632A01300210569EC02208212B7DAB8C9F5426CAC9D19ED1FBB9A36172792B3BA4BBC43EF4B05AC37EDB69F05109AE4132C1F822B707CD66B7BDFE48D406890E983B375F29000024FB3E662DA8BB0E7FD58AB5D7D9B513DD0C409B28B42C8935602C81D8597A3C68000000080000402E
ike 0:forti_sofos_vpn:66050: sent IKE msg (SA_INIT): 10.10.20.2:500->196.206.X.X:500, len=336, id=28a194ba6754f0f0/0000000000000000
ike 0: comes 196.206.X.X:500->10.10.20.2:500,ifindex=7....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=28a194ba6754f0f0/81c07845925bf6c6 len=268
ike 0: in 28A194BA6754F0F081C07845925BF6C621202220000000000000010C220000300000002C010100040300000C0100000C800E0100030000080300000E030000080200000700000008040000152800008C00150000019BF54AF29DA7BC0F8EBF45992C1DC4CE7780FC08322750D338F002234B531485E122B2D886EDB44EBEBBAE56F567B81688F77A6550E90EBE33F30A3A91162565200073D093AB3AE5774FDFE17547691FB3D3EAE3EE1982DF0090C952218F6B811B645B97A2133C9A644F738DEB71447E089527E136F38C8D4ED0ACA971B637C57BD7322900002448A9F7EDE38075623561494B28040DB41DD9AB7B7C71F8C3F3CBFECB33794F59290000080000402E0000000800004014
ike 0:forti_sofos_vpn:66050: initiator received SA_INIT response
ike 0:forti_sofos_vpn:66050: processing notify type FRAGMENTATION_SUPPORTED
ike 0:forti_sofos_vpn:66050: processing notify type 16404
ike 0:forti_sofos_vpn:66050: incoming proposal:
ike 0:forti_sofos_vpn:66050: proposal id = 1:
ike 0:forti_sofos_vpn:66050: protocol = IKEv2:
ike 0:forti_sofos_vpn:66050: encapsulation = IKEv2/none
ike 0:forti_sofos_vpn:66050: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:forti_sofos_vpn:66050: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:forti_sofos_vpn:66050: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:forti_sofos_vpn:66050: type=DH_GROUP, val=ECP521.
ike 0:forti_sofos_vpn:66050: matched proposal id 1
ike 0:forti_sofos_vpn:66050: proposal id = 1:
ike 0:forti_sofos_vpn:66050: protocol = IKEv2:
ike 0:forti_sofos_vpn:66050: encapsulation = IKEv2/none
ike 0:forti_sofos_vpn:66050: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:forti_sofos_vpn:66050: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:forti_sofos_vpn:66050: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:forti_sofos_vpn:66050: type=DH_GROUP, val=ECP521.
ike 0:forti_sofos_vpn:66050: lifetime=5400
ike 0:forti_sofos_vpn:66050: IKE SA 28a194ba6754f0f0/81c07845925bf6c6 SK_ei 32:92BFBC565828DC025F8576394E8B9E1E6B3B726264692B8B661996E7852C0B0B
ike 0:forti_sofos_vpn:66050: IKE SA 28a194ba6754f0f0/81c07845925bf6c6 SK_er 32:D7C56DFFB2F2C8981941E86D56594BF5541085DCF7FE99E07AE7E9867E08F482
ike 0:forti_sofos_vpn:66050: IKE SA 28a194ba6754f0f0/81c07845925bf6c6 SK_ai 64:96EC1CE33F02A1CEBDB38E4EDFE3AE115A4B6EC00FC4033DEF2B737DD0BB56F8A1B39925F2A606CF10C23C00CF9037C71AE4ADA0AA91A996E3AD31AFE380AA60
ike 0:forti_sofos_vpn:66050: IKE SA 28a194ba6754f0f0/81c07845925bf6c6 SK_ar 64:185A1FF1098AC21D2D069DB4BCAE25E04B50732D8F4BD47E0E4A187FD439EEF7FFD5C1B5CAD28C4A1D22B8EEEA2EF66EE3755A94B5310C51B181CD5198877459
ike 0:forti_sofos_vpn:66050: initiator preparing AUTH msg
ike 0:forti_sofos_vpn:66050: sending INITIAL-CONTACT
ike 0:forti_sofos_vpn:66050: enc 29000016020000003130322E35302E3234382E3133362700000800004000290000480200000070794AA2C825B420A0746DB9B5AE4537E773D82687D3A1FB6C774368481755E56F0471B4F04A6A2182575C53387B175DE3642C48377B25C3D4E713E78D43714521000008000040242C00005402000028010304036155FE6B0300000C0100000C800E0100030000080300000E000000080500000000000028020304036155FE6B0300000C0100000C800E0100030000080300000D00000008050000002D00001801000000070000100000FFFFAC100A00AC100BFF0000001801000000070000100000FFFFAC101000AC1010FF0D0C0B0A0908070605040302010D
ike 0:forti_sofos_vpn:66050: out 28A194BA6754F0F081C07845925BF6C62E202308000000010000015023000134BA7227F461B3B04F3BD5B3E0ECDF3722B6A3F05926C13D97902C7CDF54184CCE15E92C7C20DD3A6FB17D65512E3EFC1D0F73B3A276A156BD92FD57BE44366EC66126BDFB25D631A18BAF1097F54EED779BFEA4255F9E69BA9A24E49E84A86E213BBD988DE6ACAD6E45618E60F30B054FD78F6D2E8479AC516F7B4491AD6E327297E9344DA431EC6FEBE4063990962D5F9A72D9E0E960E82ADC029B09399F499A2A4777CEE8E042D0028D8E96DFE8FC29DEAAE126A95D7602CC574DFF2AD45DA40B782297D74503DC0F716DC1FF7FB5932BA335D355C66337A76537DCB60EB04400BCDEB8FEE787386E9ABF72575C3E607C0ABC5EBBEAC2B1B24B757B03C01A6EF76C1ACA08EC491BA901367DEF3C89E3253B37C7B0143168CB5B2A18185BA86B58400F9781E1F55EA08EA78F08CAB8DB
ike 0:forti_sofos_vpn:66050: sent IKE msg (AUTH): 10.10.20.2:500->196.206.X.X:500, len=336, id=28a194ba6754f0f0/81c07845925bf6c6:00000001
ike 0: comes 196.206.X.X:500->10.10.20.2:500,ifindex=7....
ike 0: IKEv2 exchange=AUTH_RESPONSE id=28a194ba6754f0f0/81c07845925bf6c6:00000001 len=96
ike 0: in 28A194BA6754F0F081C07845925BF6C62E202320000000010000006029000044D98D5792F8C4637E1A42B3B232B5D8B58AED86DBC0B83AB684023A49D067C94EB2489DE85F692D2B8482AC79B7AB4C17D8F056B88F65C6654DFFAB06C30EA7E9
ike 0:forti_sofos_vpn:66050: dec 28A194BA6754F0F081C07845925BF6C62E2023200000000100000028290000040000000800000018
ike 0:forti_sofos_vpn:66050: initiator received AUTH msg
ike 0:forti_sofos_vpn:66050: received notify type AUTHENTICATION_FAILED
ike 0:forti_sofos_vpn:66050: schedule delete of IKE SA 28a194ba6754f0f0/81c07845925bf6c6
ike 0:forti_sofos_vpn:66050: scheduled delete of IKE SA 28a194ba6754f0f0/81c07845925bf6c6
ike 0:forti_sofos_vpn: connection expiring due to phase1 down
ike 0:forti_sofos_vpn: deleting
ike 0:forti_sofos_vpn: deleted
ike 0:forti_sofos_vpn: set oper down
ike 0:forti_sofos_vpn:forti_sophos: chosen to populate IKE_SA traffic-selectors
ike 0:forti_sofos_vpn: no suitable IKE_SA, queuing CHILD_SA request and initiating IKE_SA negotiation
ike 0:forti_sofos_vpn:66051: out 8BD50917EC0DDD0900000000000000002120220800000000000001502200007C0200003C010100060300000C0100000C800E01000300000802000007030000080300000E0300000804000010030000080400001300000008040000150000003C020100060300000C0100000C800E01000300000802000006030000080300000D0300000804000010030000080400001300000008040000152800008C00150000002BA7C53FCE6C99471ABE9D8FE051BEDEB367EDAE6704A20DB4FA1E1DD99BF66F3254A5E92C67154515616C73DD76EDB7C8743B3D1269B5AD14B4109D5CECDB9DC70174CFC4EBC0750872439851858F0E6CB3DE630AC4D368DB1E50FAFA21078BD17EC58974D181F78B3127A7438906DE17F18F4C739224B4AD90ED859A422477B4ADE72900002401233AF4F23CD1FCF68E1E01E52318A1F1CE4050BE8548EB61E8ABAE3B354637000000080000402E
ike 0:forti_sofos_vpn:66051: sent IKE msg (SA_INIT): 10.10.20.2:500->196.206.X.X:500, len=336, id=8bd50917ec0ddd09/0000000000000000
ike 0: comes 196.206.X.X:500->10.10.20.2:500,ifindex=7....
ike 0: IKEv2 exchange=SA_INIT_RESPONSE id=8bd50917ec0ddd09/35558bd5e04599df len=268
ike 0: in 8BD50917EC0DDD0935558BD5E04599DF21202220000000000000010C220000300000002C010100040300000C0100000C800E0100030000080300000E030000080200000700000008040000152800008C0015000001107DBDF0DA3209383318D79A1DCE8E98DFFE2060AFB2AB79D29FB76CFF43F42B0BB1DE64C888945DD242689E61E66FF00B477CAB15EE4121A12FDC2DE3B0365FD8000D22AAAF9522117391830EBE56231159F43748D136608DE1706F0787ED4320639F49AB3D30D4403085EBFAB595B26119EA51A90677FB290627118291BF0A1282872900002406F0CEDBCB6F94491234E9F7000247672546B935F746475DA80023FE6BB6778C290000080000402E0000000800004014
ike 0:forti_sofos_vpn:66051: initiator received SA_INIT response
ike 0:forti_sofos_vpn:66051: processing notify type FRAGMENTATION_SUPPORTED
ike 0:forti_sofos_vpn:66051: processing notify type 16404
ike 0:forti_sofos_vpn:66051: incoming proposal:
ike 0:forti_sofos_vpn:66051: proposal id = 1:
ike 0:forti_sofos_vpn:66051: protocol = IKEv2:
ike 0:forti_sofos_vpn:66051: encapsulation = IKEv2/none
ike 0:forti_sofos_vpn:66051: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:forti_sofos_vpn:66051: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:forti_sofos_vpn:66051: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:forti_sofos_vpn:66051: type=DH_GROUP, val=ECP521.
ike 0:forti_sofos_vpn:66051: matched proposal id 1
ike 0:forti_sofos_vpn:66051: proposal id = 1:
ike 0:forti_sofos_vpn:66051: protocol = IKEv2:
ike 0:forti_sofos_vpn:66051: encapsulation = IKEv2/none
ike 0:forti_sofos_vpn:66051: type=ENCR, val=AES_CBC (key_len = 256)
ike 0:forti_sofos_vpn:66051: type=INTEGR, val=AUTH_HMAC_SHA2_512_256
ike 0:forti_sofos_vpn:66051: type=PRF, val=PRF_HMAC_SHA2_512
ike 0:forti_sofos_vpn:66051: type=DH_GROUP, val=ECP521.
ike 0:forti_sofos_vpn:66051: lifetime=5400
ike 0:forti_sofos_vpn:66051: IKE SA 8bd50917ec0ddd09/35558bd5e04599df SK_ei 32:FD9EF2351B5FC6771386F85F35153D4B7B0B9B51D65EA5606D6EE9F3A9F1DA60
ike 0:forti_sofos_vpn:66051: IKE SA 8bd50917ec0ddd09/35558bd5e04599df SK_er 32:3CEF112C69BE7384B65E916A44FCEAA616796F6D3348AFE48993A3C8D832E3B9
ike 0:forti_sofos_vpn:66051: IKE SA 8bd50917ec0ddd09/35558bd5e04599df SK_ai 64:31B8A8D8A7275EBB1327875406F2782D67DD3D49CA2272E2984488B3362DD21D1C31D3E4BCB4592F8B12C99C0A4814DAE7DC8BFE42C903F418B1A183FB1AC8AF
ike 0:forti_sofos_vpn:66051: IKE SA 8bd50917ec0ddd09/35558bd5e04599df SK_ar 64:1CF94E9D627347BA19155DD9772CD7529DB872B9A893883C7E40A3A93EA82608AA865DBAED992ABF90C46424FC0E327CA759334FA37EC27BE1BAA8B1629645DC
ike 0:forti_sofos_vpn:66051: initiator preparing AUTH msg
ike 0:forti_sofos_vpn:66051: sending INITIAL-CONTACT
ike 0:forti_sofos_vpn:66051: enc 29000016020000003130322E35302E3234382E3133362700000800004000290000480200000089110A588A0262754B4B00E2A5B15656CB762EC95DD226A932F6164BC559DD2FFAB3704AE80D4D44433D86FB7946AB2CDA281B766B2D38E284D9CEFE34841A9621000008000040242C00005402000028010304036155FE6C0300000C0100000C800E0100030000080300000E000000080500000000000028020304036155FE6C0300000C0100000C800E0100030000080300000D00000008050000002D00001801000000070000100000FFFFAC100A00AC100BFF0000001801000000070000100000FFFFAC101000AC1010FF0D0C0B0A0908070605040302010D
ike 0:forti_sofos_vpn:66051: out 8BD50917EC0DDD0935558BD5E04599DF2E202308000000010000015023000134BA693EA86F130F0AF2152E042D8D82C9251847C701350C54E0CADCC42D99CAB4A652B32E3EADE5C14C8ABB7B0A1F89D9A18741FBB25728CD4962BA856BA2853C8D8ED815133C12DDBBE700892988AC738F32D302B2B0B7508EE8B9BB86915AD2F580B18E79669077A96B0778A5BDB43EA186EF0F7A6C744D4FA8EBA5603031A55C1B02421E373F42ACF33A8F80EF9F7AC337034C0593037DDB6AB331629823D466812792117B98A44B636D1DD16C893E547490E0C8B5BD91DDCAC2C4F38D48F9DB56AFE766FD6F8E139FBFE09EF92F0AC03CBD5069C08067D5F2788DD5A7442D24514DE3A1BDDFFA8845CAAD23F8BD276A296D58434FB604F27C1F5F05F59309CBE7DF3B925A592311C52C340ECA172E9016904D8273B6E82531DBCA832509FD7EA4C65BB0A6D9700EF68B0889BBD6A9
ike 0:forti_sofos_vpn:66051: sent IKE msg (AUTH): 10.10.20.2:500->196.206.X.X:500, len=336, id=8bd50917ec0ddd09/35558bd5e04599df:00000001

rarumugam

- Seems like you switched from IKEv1 to IKEv2 and FortiGate started receiving response from peer 

- Now the negotiation fails during the Auth phase.

- FortiGate receives "AUTHENTICATION_FAILED" from peer. 

- There could be mismatch in the below parameters,

  • IKE ID
  • Preshared Key
  • Traffic Selectors(i.e. Phase2 proxy-ids)

- By looking at the logs, FortiGate seems to be behind a NAT device and holding a private IP address on its underlay side -10.10.20.2. The chances are high for mismatch in the IKE_ID. In such case either set local-id on FortiGate end or set  Peer-id on the remote end.

- However, compare the above mentioned parameters from the both ends and correct it, if there is any mismatch.

 

Rambharathi Arumugam
sw2090
Honored Contributor

ke 0:forti_sofos_vpn:66050: initiator received AUTH msg
ike 0:forti_sofos_vpn:66050: received notify type AUTHENTICATION_FAILED

 

It did match the proposals but it failed to authenticate. Is your psk correct on both sides?


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

yns_sa
New Contributor

yes the psk correct on both sides,I maked copy paste