AnsweredHot!Error on Site2Site IPsec between Fortigate and Sophos XG

Author
fesch
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/13 02:30:49
  • Status: offline
2021/09/13 02:45:15 (permalink)
0

Error on Site2Site IPsec between Fortigate and Sophos XG

Hello all,
I have a faulty VPN configuration on an IPsec connection between a Fortigate and a Sophos XG to which I cannot find a solution.
I have connected several subnets via the VPN:
Fortigate:
xx.xx.11.0/24
xx.xx.6.0/24

XG:
xx.xx.100.0/24
xx.xx.2.0/24
xx.xx.0.0/26

The connection is established and also works. However, an error is displayed on the Fortigate.
The SAs between the firewalls are displayed with the following notation UP:
Source: xx.xx.11.0-xx.xx.11.255
Destination: xx.xx.100.0-xx.xx.100.255, xx.xx.2.0-xx.xx.2.255, xx.xx.0.0-xx.xx.0.62
....
The same SAs are displayed with a different notation than DOWN:
Source: xx.xx.11.0/255.255.255.0
Destination: xx.xx.10.0/255.255.255.0, xx.xx.2.0/255.255.255.0,xx.xx.0.0/255.255.255.192
On the Sophos XG, all SAs are displayed UP.
Does anyone have an idea how I can eliminate this error? This permanently reports a faulty VPN tunnel to our monitoring system.
 
Best regards
 
Felix
#1
Kangming
Bronze Member
  • Total Posts : 52
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/09/17 18:55:22
  • Status: offline
Re: Error on Site2Site IPsec between Fortigate and Sophos XG 2021/09/13 09:34:37 (permalink) ☼ Best Answerby fesch 2021/09/14 23:39:04
0
You could try to configure multiple phase2 selectors, In your 2*3 subnet situation, you should configure 6 phase2 selectors to negotiate with Sophos XG.
 
Refer to kb doc:
https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33873&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=249206664&stateId=1%200%20249208254%27)
 

Thanks
Kangming
#2
fesch
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/13 02:30:49
  • Status: offline
Re: Error on Site2Site IPsec between Fortigate and Sophos XG 2021/09/14 23:41:17 (permalink)
0
Thanks for your answer Kangming, that worked.
I had already used this solution with the previous Sophos product. So I could have thought of it myself ;)
#3
Jump to:
© 2021 APG vNext Commercial Version 5.5