Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 28 subscribers
  • Views 40214 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG 210 to Fortigate 100C - IPSec Tunnel up, I am unable to pass traffic across tunnel

ZoelDufort

I am working with my first Sophos devices and am running into a problem passing traffic over an established IPSec VPN tunnel.

I have a VPN tunnel established between Site A (Sophos XG210) and Site B (Fortigate 100c). I created a static route for the remote LAN at Site B on the XG Firewall, which is 10.20.0.0/24 on Port 2 and then configured a static route for Site A remote LAN (10.5.0.0/24) on the Fortigate. I have 2 rules in place on either site, at the top of the policy list. Sophos has LAN All->VPN All and VPN All->LAN All, and on the Fortigate Side LAN All->VPN All and VPN All->LAN All.  IPsec connection on XG Firewall has Local Subnet of Site A (10.5.0.0/24), and Remote Subnet of Site B (10.20.0.0/24). I cannot figure out why I cannot pass any traffic over the tunnel in either direction. Any help would be greatful!



This thread was automatically locked due to age.
  • 0
    Hi, I had similar Issues just between XG and UTM. Solved these with different Policy Settings. What are yours at the moment?
  • 0
    Are you refering to IPSec Policy or Firewall Policy? My IPSec Policy should be good as the Tunnel is up. I do see drops when doing a drop_packet_capture in the CLI The first 2 IP addresses are the IPSec endpoints. Not sure why it shows port management port 4444 for the Sopho's endpoint.


    2016-02-11 14:58:50 0102021 IP 96.53.29.98.54636 > 162.157.6.178.4444 : proto TCP: R 4161311684:4161311684(0) checksum : 48806
    0x0000: 4500 0028 6967 4000 7b06 6f82 6035 1d62 E..(ig@.{.o.`5.b
    0x0010: a29d 06b2 d56c 115c f808 93c4 a429 b383 .....l.\.....)..
    0x0020: 5014 0000 bea6 0000 0000 0000 0000 P.............
    Date=2016-02-11 Time=14:58:50 log_id=0102021 log_type=Firewall log_component=Invalid_Traffic log_subtype=Denied log_status=N/A log_priority=Alert duration=N/A in_dev=Port2 out_dev= inzone_id=0 outzone_id=0 source_mac=00:23:3e:63:1b:bc dest_mac=00:1a:8c:50:f2:29 l3_protocol=IP source_ip=96.53.29.98 dest_ip=162.157.6.178 l4_protocol=TCP source_port=54636 dest_port=4444 fw_rule_id=0 policytype=0 live_userid=0 userid=0 user_gp=0 ips_id=0 sslvpn_id=0 web_filter_id=0 hotspot_id=0 icap_id=0 app_filter_id=0 app_category_id=0 app_id=0 category_id=0 bandwidth_id=0 up_classid=3690756390629933056 dn_classid=0 source_nat_id=0 cluster_node=0 inmark=0 nfqueue=0 scanflags=0 gateway_offset=0 max_session_bytes=0 drop_fix=0 ctflags=0 connid=0 masterid=0 status=0 state=0 sent_pkts=N/A recv_pkts=N/A sent_bytes=N/A recv_bytes=N/A tran_src_ip=N/A tran_src_port=N/A tran_dst_ip=N/A tran_dst_port=N/A
  • 0
    Hi support,

    pinging a device on remote network works?

    Luk
  • 0 in reply to lferrara
    No, at the time that I posted that, I was not able to ping anything in either direction. There has been some progress made in the last few days, with the help of Sophos support. In addition to the IPSec static route, an SNAT rule was also required making outbound packets through the tunnel have a return address of the sending LAN address range. I am now able to ping from the network behind the XG to the network behind the Fortigate, however I am unable to do the reverse. The next step will be to figure out how to add an SNAT rule to the Fortigate to do the same.
  • 0
    I have determined through a packet capture of an ICMP request, that traffic from the Fortigate is getting to the XG Firewall over the IPSec tunnel, however the XG Firewall is not routing or is dropping the traffic destined for the interal LAN
  • 0 in reply to ZoelDufort

    With help from Sophos level 2 support, we were able to resolve the issue. Using SHA256 encryption was the culprit, so using SHA1 fixed the problem (supposedly a known issue). As I noted previously that an SNAT rule was required/added, it is not required so was also removed.

  • 0

    SHA 2 Family of algorithms use 128 but hashing truncation in fortinet and in XG it uses 96 bit hash truncation, that was the reason why you were unable to get the tunnel up. This should be fixed in V2 of XG. 

    Thanks,

    Kranthi

  • 0

    Hi, 

     

    I am having this issue in 2020, i see the comments below to change to SHA1 is this still the solution ?