Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Moxeq
New Contributor II

Created on ‎09-05-2023 10:30 PM

FortiGate x Sophos IPsec VPN with overlapping subnet behind sophos

Hello, 

there is an IPsec site to site between the two firewalls, the subnet behind the firewall is 192.168.111.0/24 and behind Sophos is 192.168.2.0/24, however the last one is NATed to 10.203.40.0/24 because there is a route to the same subnet (2.0/24) on fortigate. The tunnel is up and the connection should be fine, however when I try to ping, only one or two pings are delivered and only when I make the tunnel down and up, I took a sniffer on 192.168.111.12/24 when I try to ping to 10.203.40.10 and it goes out from the fortigate but never returned. Note that the ISP router after the sophos firewall is NOT configured as a bridge, don’t know if that cause the issue. Can you please advise me

c6f1f2ce-d4f8-4cb4-8a8b-cfb35c784a15.jpeg

MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
Labels:
725
0 Kudos
4 REPLIES 4
xsilver_FTNT
Staff
Staff

Created on ‎09-05-2023 11:24 PM

Hi @Moxeq 

 

1. I'd suggest to open technical ticket on Fortinet's Support and provide more detailed network diagram, FortiGate's config and any debug outputs ... like IKE debug from FortiGate .. into it.

 

2. second advice would be to avoid any overlapped networks. So re-address your network to avoid those overlaps. Avoid need for NAT between private addresses and keep things purely routed.

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

710
0 Kudos
Moxeq
New Contributor II
In response to xsilver_FTNT

Created on ‎09-06-2023 02:35 AM

Hi Tom xSilver,

thanks for your response.

 

I will open a ticket with the TAC.

Regarding the NAT configuration, Unfortunately it is a must from Sophos side, because I have a route on the core switch behind the FortiGate to the same subnet! 

 

do you suggest any other solutions? 

 

And I want to ask that if the ISP router after the Sophos firewall could cause the ping issue, since it is not configured as a bridge, maybe causes double NAT or something like that.

 

And I cannot understand why the first two packets delivered and the ping work then goes down. 

MoX, Cybersecurity Engineer
MoX, Cybersecurity Engineer
687
0 Kudos
IT_Ahan2
New Contributor III

Created on ‎09-05-2023 11:37 PM

do a packet capture on Sophos and check the IP which range is showing 

701
0 Kudos
mle2802
Staff
Staff

Created on ‎09-06-2023 05:55 AM

Hi there,

Can you try to run debug flow on FortiGate when pinging 10.203.40.10 using the following commands:

diag debug reset
diag debug flow filter addr 10.203.40.10
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999

If the traffic is passing through the Ipsec tunnel correctly, try to do sniffer on the other side to see if the packet arrive and being replied or not. 

Please also refer to this document for overlapping Ipsec tunnel "https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/426761/site-to-site-vpn-with...

Regards,

667
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.