Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
meins
New Contributor

Fail IPSec FG to Sophos SG

Hello and good evening,
would like to set up an IPSec tunnel between a Fortinet and a Sophos SG. The Sophos side poses no problem, on the Fortinet I am a beginner.
The Fortinet matches the Sophos in phase 1 and phase 2. IPSec is set to version 1.
For help I used the following site:

https://ictfella.com/how-to-configure-ipsec-vpn-between-fortinet-and-sophos-firewall/

It just doesn't work, the Sophos reports errors I didn't know before.

Is there a how-to somewhere or who can help?

Greetings
Andreas

3 REPLIES 3
hbac
Staff
Staff

Hi @meins,

 

You need to run ike debugs on the FortiGate to find out what is wrong. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...

 

# diagnose vpn ike log-filter dst-addr4 [remote-peer]

# diagnose debug console timestamp enable

# diagnose debug application ike -1

# diagnose debug enable

 

Regards, 

kmohan
Staff
Staff

Hi,

You need to run ike debugs on the FortiGate to find out what is wrong. Please refer to https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-IPSEC-Tunnel-debugging-IKE/ta-p/1900...

 

# diagnose vpn ike log-filter dst-addr4 [remote-peer]

# diagnose debug console timestamp enable

# diagnose debug application ike -1

# diagnose debug enable

Take sniffer from Fortigate .


dia sniffer packer any " host x.x.x.x and host y.y.y.y " 4 0 a



x.x.x.x--Source IP address
y.y.y.y---destination IP address

Check the traffic is going out from FGT, and getting reply or not.

check it and update the logs.


Karthick
mle2802
Staff
Staff

Hi @meins,

Can you please run the following command and see if there is any error found on Fortigate:

diag debug reset 
diagnose vpn ike log filter rem-addr4 X.X.X.X (remote peer IP)
diagnose debug application ike  -1 
diag debug enable 

Regards,
Minh

Top Kudoed Authors