RED Traffic on IPSec VPN: XG210 17.5.8 and FortiGate 61E

Hello Chacha,

Have you configured the RED network on your IPSec VPN? For traffic to flow over an IPSec tunnel, the necessary SA will need to be established.

Under Configure > VPN > IPsec connections, did you include the RED network in the local subnet field? Please note on the FortiGate side it will need to be in equivalent local subnet field as well.

If you do have this configured, the next step would be to confirm that the SA's are established correctly. This can be done by clicking on the little blue "i" icon next to the connection status circle. It is circled in red in the below image.

It will present the following page. Please ensure that the subnets listed match what is configured.

If the above looks correct, then the next step would be to perform a packet capture to verify what is happening to the traffic. The following knowledge base article covers how to use the packet capture feature.

https://community.sophos.com/kb/en-us/123189

Bryan Yang
Community Support Engineer | Sophos Technical Support
Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.

Appreciate Yang for quick response.

Yes i have added RED network to IPSEC tunnel as shown below

An the link appears to be up but nothing seem to reach either side.

Thanks

Chacha,

are you able to ping from Fortinet the red network? And vice-versa?

Use the traceroute command to understand where the traffic is going through. Use also tcpdump.

Regards

Hi lferrara,

Forti > XG and vise versa is OK. The only issue is RED > Forti and vise versa.

Will try your suggestion for further investigation.

Thanks

The RED Tunnel is simply a Interface. Would guess, there is a firewall rule missing? 

Which Zone type is your RED? 

Toni,

I have created a separate Zone for RED.  

I have toyed with them policies enough times but I can't seem to get the VPN traffic through the RED

Thanks

Kairu, can I have a look at your XG config?

Send me a pm.

Hi Chacha Kairu,

Do a traceroute from a client in the RED Network to a client in the Fortinet network and vice versa. Examine the hop after the last hop that is answering. Verify that the traffic is routed through the tunnel and not send elswhere.

Examine the routes on the XG and Fortigate.

On the XG Firewall:

- The RED network/zone must be able to communicate with the zone VPN and LAN. The zones LAN,VPN must be able to communicate with the RED network/zone.

- The fortigate network must be defined in the red connection.

On XG and Fortigate Firewall:

- There RED network must be defined in the IPSec tunnel.

On the Fortigate Firewall

- There must be a Policy on the fortigate that allows communication with the RED network and vice versa. 

Hi Chacha Kairu,

Do a traceroute from a client in the RED Network to a client in the Fortinet network and vice versa. Examine the hop after the last hop that is answering. Verify that the traffic is routed through the tunnel and not send elswhere.

Examine the routes on the XG and Fortigate.

On the XG Firewall:

- The RED network/zone must be able to communicate with the zone VPN and LAN. The zones LAN,VPN must be able to communicate with the RED network/zone.

- The fortigate network must be defined in the red connection.

On XG and Fortigate Firewall:

- There RED network must be defined in the IPSec tunnel.

On the Fortigate Firewall

- There must be a Policy on the fortigate that allows communication with the RED network and vice versa. 

BeEf the traffic now is moving from RED to fortigate but the vise versa is not working. 

on forti, have policy for RED traffic setup but for some reasons nothing seems to come through from RED. 

Traceroute from RED shows that packets are indeed leaving RED but forti is not receptive of the same.

Thanks 

Chacha

So the traffic is going from RED to Sophos and then the fortigate ist not answering?

Besides the tunnel you need to have policies in both direktons on both firewalls.

If it is still not working you need to troubleshoot with packet capturing on both sides of the connection an see what happens ...

i finally managed to get this resolved. 

Will do a write-up and share how i went about for any one who might be struggling with the same.

I sincerely appreciate your assistants

Chacha Kairu 

Nice to hear that. Share with us so we a have a sort of “kb”

Regards

Hi, I am facing the same problems and would appreciate if you could assist with how you solved it.

My apologies for the delayed reply. Were you able to resolve this?? I would like to know where you are actually getting stuck 

SG > forti /forti > XG??

forti>RED/RED>forti??

RED>XG/XG>RED??

please clarify

Thanks

Chacha