Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
timchen
New Contributor II

Created on ‎10-14-2024 04:43 AM

Site-to-site VPN traffic between Sophos and Fortigate not be forwarded

I have 2 offices, Site A is Sophos and Site B is Fortigate. I have established Site-To-Site VPN for the two sites. The tunnel between the two sites is UP, but the Tunnel Interface IP cannot ping each other and the two sites cannot ping each other. The server under the site cannot ping the opposite endpoint.

 

The following is relevant information:
Screenshot 2024-10-14 at 7.09.38 PM.png
Site A (Sophos)

  • WAN IP : 11.11.11.11
  • LAN IP Subnet : 172.29.21.0/24, Server IP: 172.29.21.11 (LAN Gateway under Sophos Firewall)
  • Tunnel Interface IP : 10.212.0.1/29
  • Firewall Policy: Accept LAN(172.29.21.0/24) toVPN(10.210.101.0/24) 

Site B (Fortigate)

  • WAN IP : 22.22.22.22
  • LAN IP Subnet : 10.210.101.0/24, Server IP: 10.210.101.11 (LAN Gateway under Fortigate Firewall)
  • Tunnel Interface IP : 10.212.0.6/29
  • Static Route: 172.29.21.0/24 via interface S2S_DCOF_M
  • Firewall Policy: Accept LAN(10.210.101.0/24) to S2S_DCOF_M(172.29.21.0/24)

  (Below Fortigate IPSec Tunnel Status)

Screenshot 2024-10-14 at 7.06.17 PM.png

 

 

 

Here I'm using Route-based to establish a Site-To-Site VPN connection, I've also tried Policy-based, but neither worked, and I'm not sure if I'm missing any settings.

 

I can't ping from the tunnel interface 10.212.0.1 to 10.212.0.6, nor does the reverse ping from 10.212.0.6 to 10.212.0.1.

 

and i tried the mtr from server, according to the server's mtr tracking, the data will stop at Fortigate's LAN Gateway

Screenshot 2024-10-14 at 7.18.10 PM.png

 

 

 

 

Labels:
2564
0 Kudos
1 Solution
AEK
SuperUser
SuperUser

Created on ‎10-14-2024 10:23 AM Edited on ‎10-14-2024 10:24 AM

While pinging the destination, try the following commands to see if the packet flows through the right interfaces:

diag sniffer packet any "host x.x.x.x and icmp" 4

 

And try the below to see why it is blocked (if so):

diag debug flow filter addr x.x.x.x
diag debug flow filter proto 1
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable

 

AEK

View solution in original post

AEK
2364
0 Kudos
11 REPLIES 11
timchen
New Contributor II

Created on ‎10-15-2024 06:30 AM

Hi @AEK 

 

Thank you for your help. Today, I conducted various checks again without changing any settings, and suddenly the tunnel started working, but I don't know why. I'm not sure if it's a bug in the Sophos Firewall or some issue with the internet line.

 

But all the setup steps should be correct.

319
Tzneg_wx
New Contributor

Created on ‎05-27-2025 08:20 PM Edited on ‎05-27-2025 08:43 PM

The establish a routed base site-to-site VPN with Sophos. You must set laocl subnet in FortiGate VPN Phase2, but do not set romote subnet.

This will make it successful. You can try it.sophos vpn2.jpg

 

 

 

phase2.png

 

sophos vpn.jpg

86
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.