Technical Tip: How to setup IPsec VPN between FortiGate and Sophos when FortiGate is behind NAT

This article describes how to set up an IPSEC VPN between FortiGate and Sophos when FortiGate is behind NAT.

Example of topology:

FortiGate(WAN1) 1.1.1.1<--> SNAT x.x.x.x <-> Internet <-> y.y.y.y Sophos

FortiGate uses 1.1.1.1 as a private IP address and SNAT to x.x.x.x as a public IP. Sophos is using y.y.y.y as a public IP.

Note.

The pre-shared key (PSK) and the proposals are the same between FortiGate and Sophos.

FortiGate IPSEC settings 'Phase1':

set interface "wan1"

set remote gateway y.y.y.y

Sophos IPSEC settings 'Phase1':

remote x.x.x.x

Troubleshooting on FortiGate.

'Phase1' is up, but the tunnel is not up, and FortiGate IKE debug is shown with the keyword 'INVALID-ID-INFORMATION'.

Set up 1.1.1.1 in the VLAN ID (optional) on the Sophos side to make the IPsec tunnel up.

If phase-1 is not coming up and in the IKE debug 'received notify type AUTHENTICATION_FAILED' error is observed, define the remote-id on the Sophos as shown below.

For example, on the FortiGate, the IKE debug shows the authentication error message:

2025-10-20 12:51:11.259104 ike V=root:0:VPN_to_Sophos:10169: initiator preparing AUTH msg < ---
2025-10-20 12:51:11.259121 ike V=root:0:VPN_to_Sophos:10169: sending INITIAL-CONTACT
2025-10-20 12:51:11.259133 ike 0:VPN_to_Sophos:10169: enc 2900000C01000000C61271B

227000008000040002900002802000000
FCDBA00FD3483DFE508F30AC41D1F4F7C052D37CEB2A27AD25EBF9D32FB18C9C21000008000040242C

00002C000000280103040329B4D4
DB0300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFFC

6121160C612117F0000
001801000000070000100000FFFFC0A80000C0A83FFF0F0E0D0C0B0A0908070605040302010F
2025-10-20 12:51:11.259154 ike V=root:0:VPN_to_Sophos:10169: detected NAT
2025-10-20 12:51:11.259158 ike V=root:0:VPN_to_Sophos:10169: NAT-T float port 4500
2025-10-20 12:51:11.259164 ike 0:VPN_to_Sophos:10169: out 2A1DFB733594570C5FDA9B77BB78C8A42E

20230800000001000000F0
230000D4A82CE2878F20FB3981141C3435F895FBC73E77EF2285B54A37021ED1442A53AD3DE4B50726A3EEFD44

B3BC0C5FA2DA4DD29086
4A7DAD45AB89CD1784C7C8D34622B67DC5FA21832E06C95E1FFF8788A46DF5EC96E63C077ED6B419E8A0236E28318D6B

431FF119AF9F9F
341994290BF98E90A6AC5D1C65867EAD14D7C52440FCBAE4854F430DEA00554FD231E03976FE9DC6B67EC47D8D9BF

03859D53D07B68D50
DC134899EA49AA3BE795D74F06A8909F02788DD8EE1F2A65ABC13ED7DE4EC3335E58EE9FB4802453C6295653AF1BB7
2025-10-20 12:51:11.259201 ike V=root:0:VPN_to_Sophos:10169: sent IKE msg (AUTH):

198.168.113.178:4500->xxx.xxx.27.101:4500, len=240, vrf=0, id=2a1dfb733594570c/5fda9b77bb78c8a4:

00000001, oif=3 < ---

Sophos peer replies to the FortiGate request, but it rejects the authentication message:

2025-10-20 12:51:11.268378 ike V=root:0: comes xxx.xxx.27.101:4500->198.168.113.178:4500,

ifindex=3,vrf=0,len=84.... < ---
2025-10-20 12:51:11.268410 ike V=root:0: IKEv2 exchange=AUTH_RESPONSE id=2a1dfb733594570c/5fda9b77bb

78c8a4:00000001 len=80
2025-10-20 12:51:11.268417 ike 0: in 2A1DFB733594570C5FDA9B77BB78C8A42E202320000000010000005029000034F4895E0F27EE4DF4E717EE5849D6269DBB

629590B804EA5BD2BE9A54CA45A3B4CBB0E344601

7D0A327C4A71D7F961C7A
2025-10-20 12:51:11.268450 ike 0:VPN_to_Sophos:10169: dec 2A1DFB733594570C5FDA9B77BB78C8A42E2023200000000100000028290000040000000800000018
2025-10-20 12:51:11.268456 ike V=root:0:VPN_to_Sophos:10169: initiator received AUTH msg
2025-10-20 12:51:11.268460 ike V=root:0:VPN_to_Sophos:10169: received notify type AUTHENTICATION_FAILED < ---

On the Sophos side, it is possible to see the error under Log Viewer with the message 'Couldn't authenticate the remote gateway. Check the authentication settings on both devices (Remote: x.x.x.x)'  <---- Here x.x.x.x is the public IP (Natted IP) of the FortiGate.

To fix this issue, it is required to set the IP of FortiGate interface '198.168.113.178' under Sophos VPN settings -> Remote Gateway ->  Remote ID.