Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

FortiGate x Sophos IPsec VPN with overlapping subnet behind sophos


there is an IPsec site to site between the two firewalls, the subnet behind the firewall is and behind Sophos is, however the last one is NATed to because there is a route to the same subnet (2.0/24) on fortigate. The tunnel is up and the connection should be fine, however when I try to ping, only one or two pings are delivered and only when I make the tunnel down and up, I took a sniffer on when I try to ping to and it goes out from the fortigate but never returned. Note that the ISP router after the sophos firewall is NOT configured as a bridge, don’t know if that cause the issue. Can you please advise me



Hi @Moxeq 


1. I'd suggest to open technical ticket on Fortinet's Support and provide more detailed network diagram, FortiGate's config and any debug outputs ... like IKE debug from FortiGate .. into it.


2. second advice would be to avoid any overlapped networks. So re-address your network to avoid those overlaps. Avoid need for NAT between private addresses and keep things purely routed.


Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC L3 Escalations engineer


Hi Tom xSilver,

thanks for your response.


I will open a ticket with the TAC.

Regarding the NAT configuration, Unfortunately it is a must from Sophos side, because I have a route on the core switch behind the FortiGate to the same subnet! 


do you suggest any other solutions? 


And I want to ask that if the ISP router after the Sophos firewall could cause the ping issue, since it is not configured as a bridge, maybe causes double NAT or something like that.


And I cannot understand why the first two packets delivered and the ping work then goes down. 

New Contributor III

do a packet capture on Sophos and check the IP which range is showing 


Hi there,

Can you try to run debug flow on FortiGate when pinging using the following commands:

diag debug reset
diag debug flow filter addr
diag debug flow filter proto 1
diag debug flow show ip en
diag debug flow show func en
diag debug console time ena
diag debug ena
diag debug flow trace start 999

If the traffic is passing through the Ipsec tunnel correctly, try to do sniffer on the other side to see if the packet arrive and being replied or not. 

Please also refer to this document for overlapping Ipsec tunnel "