Guest User!

You are not Sophos Staff.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site To Site VPN Tunel With Fortigate 40C

HI,

I have Two Firewall's Sophos XG125 (Head Office ) and Fortigate 40C (Remote Branch Office)

Earlier we were facing issues to get the IPSec Site To Site VPN Tunnel UP and running, however disabling DPD on both the firewalls, we got the connection UP and running. 

All the local networks and the remote networks have been properly configured on both sides of the tunnel, and the IPSec Tunnel is UP and running properly now. 

Once the tunnel is UP and running, we are able to ping from either side of the tunnel, onto the other side of the tunnel.

However after some random time, the tunnel status on both the firewalls is shown up (Two green dots in case of Sophos XG Firewall) , however traffic stops moving and we are not able to ping from either sides of the tunnel. 

Just for your information we have configured dyndns for Fortigate 40C Firewall, since there is no provision for static IP at the branch office.

Hence the tunnel is established on the dyndns URL instead of static IP. 

Please let me know if any other information is required from my end. 

Regards,

Mr. Samson Pacharne.



This thread was automatically locked due to age.
Parents Reply Children
  • Tried keeping both the firewalls in aggressive mode , it did work for the whole day, but in the evening as I checked the tunnel seems to be down again.

    Do I need to configure anything else on the fortigate.

  • Samson,

    what do you get from VPN logs? Can you share them?

    Thanks

  • We have been getting these sort of emails.

    Dear Administrator,

    This is an auto-generated message from Sophos Monitoring Tool to inform the IPSec Connection status change.

    IPSec Connection <IP Sec Profile Name> between 192.168.1.0/24 and 192.168.0.0/24 is down.

    Time: 20:08:06
    Reason: The IPSec SA expired.

    Model Number

    Firmware version

    Appliance Key

    Appliance IP (LAN)

    If configured in HA then mentions whether sender is Primary/Auxiliary

    SG125

    SFOS 15.01.0

    SXXXXXXXXXX

    192.168.1.254

    HA not configured

     

     

     

     

    Can you please help me identify the issue and fix this