Site to Site VPN sophos XG to fortigate

i tried following this:

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Establish-IPsec-VPN-Connection-between-Sophos-and-Fortigate-with-IKEv2.pdf

didnt help

in the logs - system i see: "peer authentication failed"

Which Authentication method do you use? 

Can you post some screenshots? 

Hi

thank you for your response.

i sort of managed to get the tunnel up.

but...

out of the 4 subnets i included in the tunnel,

only 1 get a connection (attached screenshot)

i have firewall rules that allow all 4 subnets on both sides.

what am i missing?

I would say, something is not correct configured on Forti site. 

its definitely not a problem on the branch office fortigate device and i'll tell you why:

before switching the HQ fortigate device with a sophos device, we had a fortigate device in the main office as well as in the branch office.

we had a vpn tunnel working perfectly with all subnets running just fine over the tunnel.

when we switched to sophos in the main office, we have changed the vpn settings on the branch office deivce to mach the one on the sophos device.

so, the only thing that has changed is the sophos that replaced the fortigate on the main office. before that, the branch office device had a perfect vpn tunnel with the main office.

I do not know, how to configure a forti, but as far as i can tell, the forti is not properly using all SAs, instead using only one SA. 

If you check the charon.log on CLI, you should see, that the forti is not building up the other SAs. 

Or try the GES MER in my Signature to dig deeper. 

Hi

something doesnt make sense to me.

here is a screenshot of a tracert from the server in the brach office to one of the devices on the main office side.

(on of the vlans that has a red indicator in the above screenshot)

it clearly shows that the fortigate is pushing the traffic out correctly. 

seems like the traffic is lost on the sophos side

Hi

something doesnt make sense to me.

here is a screenshot of a tracert from the server in the brach office to one of the devices on the main office side.

(on of the vlans that has a red indicator in the above screenshot)

it clearly shows that the fortigate is pushing the traffic out correctly. 

seems like the traffic is lost on the sophos side

But still not clear, how the SA are missing on XG? 

I mean, you have to deploy a SA for each Network pinning. 

See: https://en.wikipedia.org/wiki/Security_association

If Fortinet uses other technologies to implement some kind of NAT, then you have to configure this properly. 

But at the moment, only 1 of 4 SAs are correct published. Therefore XG will not push any traffic to those non existing Networks (because the SA and SPI is missing). 

We are using the SAs to publish the routes. Therefore we need the correct SA.