Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 1733 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site IPSEC SOPHOS XG to Fortigate

ywillie

I've been tasked to setup sophos XG ipsec with a virtual based fortigate, since we're going cloud on all our servers. Been few weeks of rough nights and everything is going wild.
We basically has all servers up on a vendor's cloud service.
We had all our production servers , dmz , wifi management on 3 different subnets migrated on the cloud which is behind a fortigate virtual appliances.
Everything runs fine between Sophos XG ipsec with the service's provider's fortigate. Until we decides to add more subnets to the sophos xg side to segregate different groups of lans for different purposes.

It started this way because it was a rough start. I managed to get the other end to establish the tunnel with the sophos xg. I even added the SSLVPN and a RED subnet to allow them to reach our private cloud servers. Everything works fine.


We later required to add more subnets to the ipsec tunnel. Resulting in a whopping number of over 13 subnets.
It resulted in some subnets refusing to link with the other side. It shows as inactive while fortigate side seems to show as all subnets are up.
And seems that some subnets are facing issues when i tried to reach them when i added the new subnets to the tunnel.

SFOS version 17.0.08 MR8
XG450

Setup for the IPSEC as below.
ipsec policies i used is a modified IKEV2 template that follows below.
IKEV2
DH Group 16,19 and 21.same on P1 and P2.
P1: AES256 - SHA512 , AES256 - SHA384. Keylifetime:5400
P2: AES256 - SHA512 , AES256 - SHA384. lifetime:3600
VPN is set to respond only instead of initiate. 

according to this guide
Establish IPsec VPN Connection Between Sophos and Fortigate with IKEv2

I wondered is there a limitation to adding too much of subnet will cause the tunnel to get unstable.
Or should i go IKEV1.


I did tried to upgrade our HA unit to version SFOS18 mr5 
I recreated everything from scratch until the ipsec part, even with only one subnet, the ipsec tunnel refuse to up.
Worse of all, the console gave an error when i tried to show the ipsec vpn logs using SFOS18 MR5 firmware.

There're actually a pool of issues but i would like to go over this bit before proceeding to others.

Hope someone could give me some enlightment.



This thread was automatically locked due to age.
  • 0

    Hi, we saw some kind of instabilities with IKE V1 and Fortigate with Sophos XG 17.5. We also used a lot of subnets on both sides so this might be the issue. The number of SAs / connections are #subnets (one side) multiplied by #subnets (other side).

    Meanwhile we replaced it with a MPLS connection. Therefore I can not say anything about the behaviour von Version 18 (MR4). Look into the logfiles and try to find out what actuellay happens and/or open a ticket.

    The OS version  17.0.08 MR8 you are using is not the newest on the planet ...

    Another possible solution might be to use interface mode and IKE V2. Fortigate should be able to do this and Sophos XG can use it with version 18.

    Is SFOS18 MR-5 out already? Is this some kind of Beta?

  • 0 in reply to BeEf

    I'm using ikev2 at the moment with sophos xg 17.5.  The problem started when i added more subnets.
    In the firewall policy , here's what i did which made things worse.
    Previously i did three firewall policies.

    Lan to VPN ,  source and destination as any to any.
    VPN to LAN , source and destination as any to any.
    VPN to WAN , source and destination as any to any

    I changed it to 
    LAN to VPN, source and destination to all the 13 subnets to any
    VPN to LAN , source and desitnation to any , to all the 13 subnets.
    VPN to WAN , source and destination as any to any.

    It resulted in some of my ipsec tunnels would not up even after i rebooted the firewall .This happens particularly to ipsecs whereby the remote firewall having dynamic ip. There's even some issues with a specific ipsec tunnel where the sslvpn subnet cease to work with the subnet even i got everything back to previous.

    This forced me to try out using the SFOS 18 MR5 firmware to try my chances .

    Which is why i wondered is there a limitation to how many subnets can be added to each tunnel.