Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 10939 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 ipsec VPN to Fortigate 60D working configurations?

Six Degrees

Hi

We have a Sophos UTM 9 running firmware version 9.405-5 attempting to connect to Fortigate 60D firewall but no joy. The logs show no connection being made on either ends of the devices, public ip's are reachable from testing. The policy on both ends are configured as follows:

 

IKE Encryption - AES256

IKE Authentication - SHA1

IKE Lifetime - 28800

IKE DH Group - 2

 

IPsec encryption - AES256

IPsec Authentication - SHA1

IPsec Lifetime - 3600

IPsec PFS - Enabled (Group 2)

Remote LAN and Local LAN ,PSK are matching and Auto firewall rules are enabled in the connection settings

 

NAT Traversal and DPD is enabled on both sides as we have other VPN's but both IP's are not being NATTed. All the settings are identical and i've also used another UTM on a different firmware version and experienced the same issue.

Has anyone experience issues between these 2 devices? Is there a unique configuration or a feature that needs to be enabled on either devices?

 

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    Hi, and welcome to the UTM Community!

    What do you mean by "experienced the same issue?"

    We need to see some log lines:

    1. Disable the IPsec Connection.
    2. Confirm that debug is not enabled.
    3. Start the IPsec Live Log and wait for it to show the last 10 lines.
    4. Enable the IPsec Connection.

    Show us about the first 60 lines after step 4.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    Thanks for replying to my question.

    Just to elaborate on my comment "experienced the same issue?" the vpn still doesn't become active and no information in the logs. Please see the copy and paste from the live log once the vpn is enabled with debug disabled.

    2017:03:19-17:55:37 rimilia-astaro pluto[5373]: added connection description "S_Rimilia-Calgary_NEW VPN"
    2017:03:19-17:55:37 rimilia-astaro pluto[5373]: "S_Rimilia-Calgary_NEW VPN" #16: initiating Main Mode

    2017:03:19-17:59:46 rimilia-astaro pluto[5373]: "S_Rimilia-Calgary_NEW VPN": deleting connection
    2017:03:19-17:59:46 rimilia-astaro pluto[5373]: "S_Rimilia-Calgary_NEW VPN" #16: deleting state (STATE_MAIN_I1)

    I've only put 4 lines because this is the only output associated with this vpn connection

    Regards

Reply
  • 0 in reply to BAlfson

    Hi Bob

    Thanks for replying to my question.

    Just to elaborate on my comment "experienced the same issue?" the vpn still doesn't become active and no information in the logs. Please see the copy and paste from the live log once the vpn is enabled with debug disabled.

    2017:03:19-17:55:37 rimilia-astaro pluto[5373]: added connection description "S_Rimilia-Calgary_NEW VPN"
    2017:03:19-17:55:37 rimilia-astaro pluto[5373]: "S_Rimilia-Calgary_NEW VPN" #16: initiating Main Mode

    2017:03:19-17:59:46 rimilia-astaro pluto[5373]: "S_Rimilia-Calgary_NEW VPN": deleting connection
    2017:03:19-17:59:46 rimilia-astaro pluto[5373]: "S_Rimilia-Calgary_NEW VPN" #16: deleting state (STATE_MAIN_I1)

    I've only put 4 lines because this is the only output associated with this vpn connection

    Regards

Children
  • 0 in reply to Six Degrees

    So, it looks like the connection was established and then stopped four minutes later.  There's no way for IPsec to get to "initiating Main Mode" without almost 20 lines.  Also, prior to "deleting connection," there would be reasons given.  I don't think that a connection can be deleted unless at least one IPsec SA was established.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob

    The log show "initiating Main Mode" and no related logs after that line, sorry to confuse the "deleting connection," was me disabling the VPN. 

    No negotiations occur between the devices at any stage, no mismatch errors or any errors of communicating.

    Cheers Si

  • 0 in reply to Six Degrees

    That's why it always pays to give all of the lines instead of deleting some.  The fact that the connection attempt dies immediately after "initiating Main Mode" indicates that one side is behind a NAT'ing router or that the PSK isn't the same.  The second issue might be resolved by selecting 'Enable probing of preshared keys' on the 'Advanced' tab of 'IPsec'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML