Helpful ReplyHot!Can not ping from Fortigate site to Sophos site in IPSec

Author
longtran.cntt
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/05 05:03:22
  • Status: offline
2019/11/03 01:30:18 (permalink)
0

Can not ping from Fortigate site to Sophos site in IPSec

Hi all,
 
I've followed a guideline of Sophos to configure IPSec between Fortigate and Sophos, everything working well: the VPN is up, the user from Sophos site can ping the IP of Fortigate site, but the user of Fortigate site can not ping IP of Sophos site. the longest way I can do is to tracert to the local IP of Sophos site and reached the default gateway and done, nothing else.
 
I've tried many ways: disable Windows firewall, checking the Sophos policies...and deep dive into google and I recognize there are some people who got the same problem with me and they can fix it in some way but no one posted the solution => I have no clue. can please help me where I was wrong?
 
Thanks a lot.
 

 

 

 

#1
emnoc
Expert Member
  • Total Posts : 5366
  • Scores: 351
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Can not ping from Fortigate site to Sophos site in IPSec 2019/11/03 01:27:46 (permalink)
0
The  cmd "diag debug flow" should be used here. This does a few items
 
  •  ensure your policy is match or shows what was match ( policy-ordering is crucial and when
  • other policy are in play and ) 
 
  •  shows the encrypt action
 
  •  shows routing or lack of
 
 
Since this, a route-base make sure a rote to the destination exist and VN-SL interface.
 
e.g
 
config route static
  edit 0 
       set dst . x.x.x.x/xx ( remote-network)
       set dev VN-SL
end
 
 
 
Likewise make sure the SophosUTM knows how to route back. Also you can confirm  packets by dumping on the VN-SL interface
 
And finally, do you have ipsec-PH1/PH2 establishment?
 
e.g /* cli  FortiOS
 
diag vpn ike gateway
diag vpn tunnel list
 
 
e.g /* cli 
 
 
  diag sniffer packet VN-SL "icmp"
 
Give that a try.
 
Ken Felix
 
 
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#2
longtran.cntt
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/05 05:03:22
  • Status: offline
Re: Can not ping from Fortigate site to Sophos site in IPSec 2019/11/05 01:40:03 (permalink)
0
emnoc
The  cmd "diag debug flow" should be used here. This does a few items
 
  •  ensure your policy is match or shows what was match ( policy-ordering is crucial and when
  • other policy are in play and ) 
 
  •  shows the encrypt action
 
  •  shows routing or lack of
 
 
Since this, a route-base make sure a rote to the destination exist and VN-SL interface.
 
e.g
 
config route static
  edit 0 
       set dst . x.x.x.x/xx ( remote-network)
       set dev VN-SL
end
 
 
 
Likewise make sure the SophosUTM knows how to route back. Also you can confirm  packets by dumping on the VN-SL interface
 
And finally, do you have ipsec-PH1/PH2 establishment?
 
e.g /* cli  FortiOS
 
diag vpn ike gateway
diag vpn tunnel list
 
 
e.g /* cli 
 
 
  diag sniffer packet VN-SL "icmp"
 
Give that a try.
 
Ken Felix
 




thanks you for your reply
 
i think when I can reach to the default gateway of the remote site, it means the tunnel between me (fortigate) and remote site (sophos) is clear go to, the problem is why the remote site does not reply my ICMP?
 
is there Sophos configuration problem, or Fortigate ?
#3
StasMa
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/30 08:25:05
  • Status: offline
Re: Can not ping from Fortigate site to Sophos site in IPSec 2019/11/05 05:24:40 (permalink)
0
What is better Salesforce Platform or Sophos? Different firms demand different types of IT Management Software. To understand well which service fits your needs, think about reviewing various alternatives feature by feature along with their terms and prices. Similarly, you may get a quick idea of their general performance and customer feedback by checking our smart scoring system.
The results are: Salesforce Platform (9.3) vs. Sophos (8.8) for total quality and usefulness; Salesforce Platform (98%) vs. Sophos (97%) for user satisfaction rating. Analyze their high and weaker points and see which software is a better option for your company. A simple, practical way is to note down the strengths and weaknesses of both solutions side by side and find out which app is better.
Right now, the leading services in our Application Development Software category are: Docker, Salesforce Platform, BitBucket.
#4
emnoc
Expert Member
  • Total Posts : 5366
  • Scores: 351
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Can not ping from Fortigate site to Sophos site in IPSec 2019/11/05 06:08:24 (permalink) ☄ Helpfulby zaphod 2019/11/05 06:37:20
0

i think when I can reach to the default gateway of the remote site, it means the tunnel between me (fortigate) and remote site (sophos) is clear go to, the problem is why the remote site does not reply my ICMP?

 
Did you do any of the testings suggestions provided earlier? Without some basic diagnostics, your guessing. All of the diagnostics is a 1-2-3 steps and confirms vrs "thinking" which is really guessing, imho
 
Ken Felix
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#5
longtran.cntt
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/05 05:03:22
  • Status: offline
Re: Can not ping from Fortigate site to Sophos site in IPSec 2019/11/09 09:44:57 (permalink)
0
thanks to all, i finally found the issue and solution.
 

the configuration of the Fortigate site is correct, nothing needs to change. the issue is Fortigate does not respond to the subnet of the remote site when connecting with Sophos => so from Sophos site must config the VNP as a host-to-host.
#6
Jump to:
© 2019 APG vNext Commercial Version 5.5