FortiGate x Sophos IPsec VPN with overlapping subnet behind sophos
there is an IPsec site to site between the two firewalls, the subnet behind the firewall is 192.168.111.0/24 and behind Sophos is 192.168.2.0/24, however the last one is NATed to 10.203.40.0/24 because there is a route to the same subnet (2.0/24) on fortigate. The tunnel is up and the connection should be fine, however when I try to ping, only one or two pings are delivered and only when I make the tunnel down and up, I took a sniffer on 192.168.111.12/24 when I try to ping to 10.203.40.10 and it goes out from the fortigate but never returned. Note that the ISP router after the sophos firewall is NOT configured as a bridge, don’t know if that cause the issue. Can you please advise me
Can you try to run debug flow on FortiGate when pinging 10.203.40.10 using the following commands:
diag debug reset diag debug flow filter addr 10.203.40.10 diag debug flow filter proto 1 diag debug flow show ip en diag debug flow show func en diag debug console time ena diag debug ena diag debug flow trace start 999
If the traffic is passing through the Ipsec tunnel correctly, try to do sniffer on the other side to see if the packet arrive and being replied or not.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.