Well I have the phase 2 configured correctly. Sophos support had a remote look and said it’s all good. The issue lies with the fortigate firewall. You know how it goes, one vendor points to the other vendor. Hope someone can tell me how to check if it’s really about phase2.

I just checked on both sides. Changed the phase2. There is no connection anymore. Can’t get the vpn up It tells me that the problem is not the phase2. I have my firewall open for vpn. Lan to vpn. Vpn to lan. Also the routing is added. Still not a clue where it’s going wrong. I am looking for help on the forum section because in my opinion there are a lot of clever people here. I have support on the fg firewall. I can call for remote support. But i have seen them not doing a great job.

Hi ,

 

Ok, kindly share fortigate Vpn configuration as well as sophos vpn parameter , let see what went wrong .

 

Regds,

 

Ashik

Here you go:

config vpn ipsec phase1-interface
edit "VPN"
set interface "wan1"
set peertype any
set proposal aes128-sha256
set dhgrp 14
set nattraversal disable
set remote-gw 217.100.11.164
set psksecret ENC 09KfjeK/J3wwarSADlgYszJKZzY5yMlmE9HhBqmp8i1xtFvIMI2gqbgfncSGzlSU93mAxrYY6X280QIaylrKcJOuPhyFJQasTtCi7+fa7KMH07C2vOhrAZj/R3CeDBoSEISYqzO53h2R0S/s8624WqAkF/bhDyKrjc0EUkuvlpTWrWfPwjhT6KyItsSJO9h4WxL40w==


config vpn ipsec phase2-interface
set phase1name "VPN"
set proposal aes128-sha256
set dhgrp 14
set src-subnet 10.24.5.0 255.255.255.0
set dst-subnet 192.168.104.0 255.255.255.0

config firewall policy
edit 37
set name "ipsec to local"
set uuid d5f533ee-ad5c-51e8-902e-c8570788bc6f
set srcintf "VPN"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"
next
edit 38
set name "local to ipsec"
set uuid 1d570582-ad5d-51e8-ca02-e79f8ef5b6cc
set srcintf "wan1"
set dstintf "VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set status enable
set schedule "always"
set service "ALL"


config router static
edit 1
set gateway 176.74.240.62
set device "wan1"
next
edit 3
set dst 192.168.3.0 255.255.255.0
set device "p1-fw-var"
next
edit 4
set dst 192.168.2.0 255.255.255.0
set device "p1-fw-var"
next
edit 5
set dst 192.168.0.0 255.255.252.0
set device "OUT"
next
edit 6
set gateway 176.74.234.54
set distance 20
set priority 1
set device "wan1"
next
edit 8
set dst 192.168.104.0 255.255.255.0
set device "VPN"
next

When I go to the ipsec monitor: Incoming data is showing 2mb. Outgoing data 0b.

I've experienced Support doing a superb job. More than once.

If you expect help on the forum then please post the relevant parts of the config:

vpn ip phase1-interface

vpn ip phase2-interface

firewall policy

route static

from the CLI.

You also can debug a bit and post the output:

diag debug enable

di de app ike -1

 

(to stop scrolling, 'di de di'; to reset: 'di de app ike 0')

 

And always ping from hosts behind the firewalls, not from the FGT's CLI. Check that the host's software firewall is OFF.

Hi 

 

I checked your conf ...VPN conf looks fine but Policy is incorrect .Instead of LAN interface policy shows "Wan1" which is your VPN gateway interface .

 

config firewall policy edit 37 set name "ipsec to local" set uuid d5f533ee-ad5c-51e8-902e-c8570788bc6f set srcintf "VPN" set dstintf "wan1"  (This interface should be LAN Interface where your local subnet is ) set srcaddr "all" set dstaddr "all" set action accept set status enable set schedule "always" set service "ALL" next edit 38 set name "local to ipsec" set uuid 1d570582-ad5d-51e8-ca02-e79f8ef5b6cc set srcintf "wan1" (This interface should be LAN Interface where your local subnet is ) set dstintf "VPN" set srcaddr "all" set dstaddr "all" set action accept set status enable set schedule "always" set service "ALL"

I changed it. Thanks a lot. I can make a connection now. Only one more thing.

 

I can ping from sophos lan to fortigate lan.

I can't ping from fortigate to the sophos client lan.

 

Is this another setting?