Site to Site VPN sophos XG to fortigate

i tried following this:

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Establish-IPsec-VPN-Connection-between-Sophos-and-Fortigate-with-IKEv2.pdf

didnt help

in the logs - system i see: "peer authentication failed"

Which Authentication method do you use? 

Can you post some screenshots? 

Hi

thank you for your response.

i sort of managed to get the tunnel up.

but...

out of the 4 subnets i included in the tunnel,

only 1 get a connection (attached screenshot)

i have firewall rules that allow all 4 subnets on both sides.

what am i missing?

I would say, something is not correct configured on Forti site. 

its definitely not a problem on the branch office fortigate device and i'll tell you why:

before switching the HQ fortigate device with a sophos device, we had a fortigate device in the main office as well as in the branch office.

we had a vpn tunnel working perfectly with all subnets running just fine over the tunnel.

when we switched to sophos in the main office, we have changed the vpn settings on the branch office deivce to mach the one on the sophos device.

so, the only thing that has changed is the sophos that replaced the fortigate on the main office. before that, the branch office device had a perfect vpn tunnel with the main office.

I do not know, how to configure a forti, but as far as i can tell, the forti is not properly using all SAs, instead using only one SA. 

If you check the charon.log on CLI, you should see, that the forti is not building up the other SAs. 

Or try the GES MER in my Signature to dig deeper. 

Hi

something doesnt make sense to me.

here is a screenshot of a tracert from the server in the brach office to one of the devices on the main office side.

(on of the vlans that has a red indicator in the above screenshot)

it clearly shows that the fortigate is pushing the traffic out correctly. 

seems like the traffic is lost on the sophos side

But still not clear, how the SA are missing on XG? 

I mean, you have to deploy a SA for each Network pinning. 

See: https://en.wikipedia.org/wiki/Security_association

If Fortinet uses other technologies to implement some kind of NAT, then you have to configure this properly. 

But at the moment, only 1 of 4 SAs are correct published. Therefore XG will not push any traffic to those non existing Networks (because the SA and SPI is missing). 

We are using the SAs to publish the routes. Therefore we need the correct SA. 

Hello, Do you Solved it? We have the same problem the last Weekend. The problem was on the fotigate VPN Phases, Yo sould declare the networks that you need to be received by fortigate. 

Yes I agree to some others - I assume the config of the fortigate is wrong: The fortigate - fortigate IPSec connection can use some wildcard network connections and don't need to define every network on phase 2. If you define a phase 2 for all networks on the sophos this probably will work.

Yes I agree to some others - I assume the config of the fortigate is wrong: The fortigate - fortigate IPSec connection can use some wildcard network connections and don't need to define every network on phase 2. If you define a phase 2 for all networks on the sophos this probably will work.

On my own case in the second phase of the Fortinet's VPN I declared 0.0.0.0/0 as a all network permited, so when we established the VPN from Sophos we have seen that only one network came up then we declared each network for example. I Hope that this help you.

Hi Jose,

I have the same Problem but unfortunately I do not understand your solution/Workaround.

Regards, Juergen

In my case the main problem was on the fortinet phases, I set 0.0.0.0 as source network. I set each network on fortinet phases. Check your fortinet rules, and your sophos rules.

Hi Jose,

thanks for anser.

And what about on Sophos XG Site? Two (or more) subnet for "Remote Subnet"?

Kind Regards, Juergen