Hello,
We tried to configure IPSEC Tunnel with Sophos XG , the tunnel will not be up till we configure Remote ID in Sophos which is the WAN physical interface IP address of FortiGate , the issue when the failover happens , the slave device has a different IP of WAN physical interface so the IPSEC will fail again. I tried to configure Local ID to force the tunnel to use same IP address so it will not change when failover happens but this option doesn't work.
Just to make sure, you configured local-ID on FortiGate and then used that value as remote-ID on Sophos?
If so, can you share the error you are getting?
Your configuration dosen't sound l correct if your in a HA act-passive how is wan1 interface changed ? What is your cfg?
Also in this case you describe and with different address, I highly doubt you will get a hitless ipsec failover imho
Ken Felix
PCNSE
NSE
StrongSwan
Sounds your cluster setup is botched. All interfaces, when active, use identical IP and MAC addresses. That is, when the cluster fails over from primary to secondary unit, the addresses of all ports in use are transfered, in order to avoid exactly the issue you are facing.
For this to happen, you need to run all connections to the FGT through switches: one cable from FGT1, one from FGT2 and one into the network, on an isolated switch or switch port group. This is clearly described in the HA chapter of the User's Guide.
If you still have questions, please post the setup of your cluster as an image here.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.