Hi all,
Does someone successfully setup IPsec vpn between Sophos and Fortigate. If somebody can post working configuration I would appreciate.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi yns_sa
Please elaborate the issue you are facing in ipsec between fortigate and sophos?
Are you looking for document explaining config on devices OR you have done the required config and tunnel is not coming up or working as expected.
Thanks
Hi Team,
Please execute the below commands in the fortigate firewall:
diag vpn ike log-filter dst-addr4 a.b.c.d (where a.b.c.d is the remote sophos public ip)
diag debug application ike -1
diag debug enable
Please try to make the tunnel up again, and then collect the logs.
Once you get required logs you can disable debug by executing this command "diag debug disable"
Please share output with us
yeah logs would be good (thus even with them ipsec debugging sometimes is a pain in the a** [which is not fortinet's fault but more one of ipsec itself]).
Probably also a log of your sophos vpn might be helpful because it depends on which side the issue happens. If the error occurs on sophos side you might not see a clue of it in the FGT logs.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
hi ALL
find attached all logs on fortinet and sophos
ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: negotiation timeout, deleting
ike 0:vpn_sophos: connection expiring due to phase1 down
ike 0:vpn_sophos: deleting
ike 0:vpn_sophos: deleted
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: created connection: 0x5519690 7 10.10.20.2->196.206.X.X:500.
ike 0:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:500 negotiating
ike 0:vpn_sophos: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:vpn_sophos:52504: initiator: main mode is sending 1st message...
ike 0:vpn_sophos:52504: cookie 512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (ident_i1send): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
Hi there,
I noticed below error:
ike 0:vpn_sophos: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
Most probably the issue is on Phase2 subnet.
Please make sure both side, Fortigate and Sophos configured with same information. Avoid to use 0.0.0.0/0 segment as it may not "compatible" with Sophos to negotiation proper segment.
I don't use 0.0.0.0/0, i maked the correct subnet on both sides.
this is the configuration that i configured on both sides
How to config IPSec VPN Site-to-Site between Sophos and Fortinet with WAN IP as static IP – Techbast
Hi yns_sa,
1. phase1 and phase2 ipsec proposal such as dh group, Authentication Encryption and key life is same on both end.
2. Run below sniffer command and see whether udpport 500 communication is happening between both the peers
fgt# dia sniffer packet any "host x.x.x.x and (port 500 or port 4500)" 4 0 l
Replace x.x.x.x with your remote peer ip.
If in case you are not seeing the reverse traffic from remote peer, please cross check whether udp port 500, 4500 and ESP packet are allowed b both the end ISP.
If there is a response, run the below debug and capture the ike debug logs.
diag vpn ike log-filter dst-addr4 x.x.x.x (where x.x.x.x is the remote sophos public ip)
diag debug application ike -1
diag debug enable
Please try to make the tunnel up again, and then collect the logs.
Once you get required logs you can disable debug by executing this command "diag debug disable"
Please share output with us
this is the output of diag vpn ike log-filter dst-addr4 x.x.x.x (where x.x.x.x is the remote sophos public ip)
diag debug application ike -1
diag debug enable
ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: out F15ECABF7640EF0E00000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52503: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=f15ecabf7640ef0e/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52503: negotiation timeout, deleting
ike 0:vpn_sophos: connection expiring due to phase1 down
ike 0:vpn_sophos: deleting
ike 0:vpn_sophos: deleted
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: created connection: 0x5519690 7 10.10.20.2->196.206.X.X:500.
ike 0:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:500 negotiating
ike 0:vpn_sophos: no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
ike 0:vpn_sophos:52504: initiator: main mode is sending 1st message...
ike 0:vpn_sophos:52504: cookie 512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (ident_i1send): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
ike 0:vpn_sophos:52504: out 512F40F8C4CD944200000000000000000110020000000000000000A80D00003800000001000000010000002C010100010000002401010000800B0001800C151880010007800E010080030001800200048004000E0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000
ike 0:vpn_sophos:52504: sent IKE msg (P1_RETRANSMIT): 10.10.20.2:500->196.206.X.X:500, len=168, id=512f40f8c4cd9442/0000000000000000
ike 0:vpn_sophos:vpn_sophos: IPsec SA connect 7 10.10.20.2->196.206.X.X:0
ike 0:vpn_sophos:vpn_sophos: using existing connection
ike 0:vpn_sophos:vpn_sophos: config found
ike 0:vpn_sophos: request is on the queue
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1066 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.