Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
longtran_cntt
New Contributor

Can not ping from Fortigate site to Sophos site in IPSec

Hi all,

 

I've followed a guideline of Sophos to configure IPSec between Fortigate and Sophos, everything working well: the VPN is up, the user from Sophos site can ping the IP of Fortigate site, but the user of Fortigate site can not ping IP of Sophos site. the longest way I can do is to tracert to the local IP of Sophos site and reached the default gateway and done, nothing else.

 

I've tried many ways: disable Windows firewall, checking the Sophos policies...and deep dive into google and I recognize there are some people who got the same problem with me and they can fix it in some way but no one posted the solution => I have no clue. can please help me where I was wrong?

 

Thanks a lot.

 

 

 

 

1 Solution
emnoc
Esteemed Contributor III

i think when I can reach to the default gateway of the remote site, it means the tunnel between me (fortigate) and remote site (sophos) is clear go to, the problem is why the remote site does not reply my ICMP?

 

Did you do any of the testings suggestions provided earlier? Without some basic diagnostics, your guessing. All of the diagnostics is a 1-2-3 steps and confirms vrs "thinking" which is really guessing, imho

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
7 REPLIES 7
emnoc
Esteemed Contributor III

The  cmd "diag debug flow" should be used here. This does a few items

 

[ul]
  •  ensure your policy is match or shows what was match ( policy-ordering is crucial and when
  • other policy are in play and ) [/ul]

     

    [ul]
  •  shows the encrypt action[/ul]

     

    [ul]
  •  shows routing or lack of[/ul]

     

     

    Since this, a route-base make sure a rote to the destination exist and VN-SL interface.

     

    e.g

     

    config route static

      edit 0 

           set dst . x.x.x.x/xx ( remote-network)

           set dev VN-SL

    end

     

     

     

    Likewise make sure the SophosUTM knows how to route back. Also you can confirm  packets by dumping on the VN-SL interface

     

    And finally, do you have ipsec-PH1/PH2 establishment?

     

    e.g /* cli  FortiOS

     

    diag vpn ike gateway

    diag vpn tunnel list

     

     

    e.g /* cli 

     

     

      diag sniffer packet VN-SL "icmp"

     

    Give that a try.

     

    Ken Felix

     

     

     

     

  • PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    longtran_cntt

    emnoc wrote:

    The  cmd "diag debug flow" should be used here. This does a few items

     

    [ul]
  •  ensure your policy is match or shows what was match ( policy-ordering is crucial and when
  • other policy are in play and ) [/ul]

     

    [ul]
  •  shows the encrypt action[/ul]

     

    [ul]
  •  shows routing or lack of[/ul]

     

     

    Since this, a route-base make sure a rote to the destination exist and VN-SL interface.

     

    e.g

     

    config route static

      edit 0 

           set dst . x.x.x.x/xx ( remote-network)

           set dev VN-SL

    end

     

     

     

    Likewise make sure the SophosUTM knows how to route back. Also you can confirm  packets by dumping on the VN-SL interface

     

    And finally, do you have ipsec-PH1/PH2 establishment?

     

    e.g /* cli  FortiOS

     

    diag vpn ike gateway

    diag vpn tunnel list

     

     

    e.g /* cli 

     

     

      diag sniffer packet VN-SL "icmp"

     

    Give that a try.

     

    Ken Felix

     

  • thanks you for your reply

     

    i think when I can reach to the default gateway of the remote site, it means the tunnel between me (fortigate) and remote site (sophos) is clear go to, the problem is why the remote site does not reply my ICMP?

     

    is there Sophos configuration problem, or Fortigate ?

    StasMa

    What is better Salesforce Platform or Sophos? Different firms demand different types of IT Management Software. To understand well which service fits your needs, think about reviewing various alternatives feature by feature along with their terms and prices. Similarly, you may get a quick idea of their general performance and customer feedback by checking our smart scoring system.

    The results are: Salesforce Platform (9.3) vs. Sophos (8.8) for total quality and usefulness; Salesforce Platform (98%) vs. Sophos (97%) for user satisfaction rating. Analyze their high and weaker points and see which software is a better option for your company. A simple, practical way is to note down the strengths and weaknesses of both solutions side by side and find out which app is better.

    Right now, the leading services in our Application Development Software category are: Docker, Salesforce Platform, BitBucket.

    emnoc
    Esteemed Contributor III

    i think when I can reach to the default gateway of the remote site, it means the tunnel between me (fortigate) and remote site (sophos) is clear go to, the problem is why the remote site does not reply my ICMP?

     

    Did you do any of the testings suggestions provided earlier? Without some basic diagnostics, your guessing. All of the diagnostics is a 1-2-3 steps and confirms vrs "thinking" which is really guessing, imho

     

    Ken Felix

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    longtran_cntt

    thanks to all, i finally found the issue and solution.   the configuration of the Fortigate site is correct, nothing needs to change. the issue is Fortigate does not respond to the subnet of the remote site when connecting with Sophos => so from Sophos site must config the VNP as a host-to-host.
    wwagdy

    I have the same problem now, i only can ping the Remote Sophos Gateway only .

    i tried to change Sophos Connection Type to Host-Host but the connection is down now. is there any thing to change from FortiGate after changing the Sophos connection type?

    Christian_89
    Contributor III

    With the commands exe ping-options source you select the interface on the fortigate where VPN tunnel shows in and then with exe ping and the gateway from the Sophos you should then see traffic whether the gateway on the shopos is reachable

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors