This article describes how to set up an IPSEC VPN between FortiGate and Sophos when FortiGate is behind NAT.

Example of topology:

FortiGate(WAN1) 1.1.1.1<--> SNAT x.x.x.x <-> Internet <-> y.y.y.y Sophos

FortiGate uses 1.1.1.1 as a private IP address and SNAT to x.x.x.x as a public IP. Sophos is using y.y.y.y as a public IP.

Note.

The pre-shared key (PSK) and the proposals are the same between FortiGate and Sophos.

FortiGate IPSEC settings 'Phase1':

set interface "wan1"

set remote gateway y.y.y.y

Sophos IPSEC settings 'Phase1':

remote x.x.x.x

Troubleshooting on FortiGate.

'Phase1' is up, but the tunnel is not up, and FortiGate IKE debug is shown with the keyword 'INVALID-ID-INFORMATION'.

Set up 1.1.1.1 in the VLAN ID (optional) on the Sophos side to make the IPsec tunnel up.

If phase-1 is not coming up and in the IKE debug 'received notify type AUTHENTICATION_FAILED' error is observed, define the remote-id on the Sophos as shown below.

For example, on the FortiGate, the IKE debug shows the authentication error message:

2025-10-20 12:51:11.259104 ike V=root:0:VPN_to_Sophos:10169: initiator preparing AUTH msg < ---
2025-10-20 12:51:11.259121 ike V=root:0:VPN_to_Sophos:10169: sending INITIAL-CONTACT
2025-10-20 12:51:11.259133 ike 0:VPN_to_Sophos:10169: enc 2900000C01000000C61271B

227000008000040002900002802000000
FCDBA00FD3483DFE508F30AC41D1F4F7C052D37CEB2A27AD25EBF9D32FB18C9C21000008000040242C

00002C000000280103040329B4D4
DB0300000C0100000C800E0100030000080300000C00000008050000002D00001801000000070000100000FFFFC

6121160C612117F0000
001801000000070000100000FFFFC0A80000C0A83FFF0F0E0D0C0B0A0908070605040302010F
2025-10-20 12:51:11.259154 ike V=root:0:VPN_to_Sophos:10169: detected NAT
2025-10-20 12:51:11.259158 ike V=root:0:VPN_to_Sophos:10169: NAT-T float port 4500
2025-10-20 12:51:11.259164 ike 0:VPN_to_Sophos:10169: out 2A1DFB733594570C5FDA9B77BB78C8A42E

20230800000001000000F0
230000D4A82CE2878F20FB3981141C3435F895FBC73E77EF2285B54A37021ED1442A53AD3DE4B50726A3EEFD44

B3BC0C5FA2DA4DD29086
4A7DAD45AB89CD1784C7C8D34622B67DC5FA21832E06C95E1FFF8788A46DF5EC96E63C077ED6B419E8A0236E28318D6B

431FF119AF9F9F
341994290BF98E90A6AC5D1C65867EAD14D7C52440FCBAE4854F430DEA00554FD231E03976FE9DC6B67EC47D8D9BF

03859D53D07B68D50
DC134899EA49AA3BE795D74F06A8909F02788DD8EE1F2A65ABC13ED7DE4EC3335E58EE9FB4802453C6295653AF1BB7
2025-10-20 12:51:11.259201 ike V=root:0:VPN_to_Sophos:10169: sent IKE msg (AUTH):

198.168.113.178:4500->xxx.xxx.27.101:4500, len=240, vrf=0, id=2a1dfb733594570c/5fda9b77bb78c8a4:

00000001, oif=3 < ---

Sophos peer replies to the FortiGate request, but it rejects the authentication message:

2025-10-20 12:51:11.268378 ike V=root:0: comes xxx.xxx.27.101:4500->198.168.113.178:4500,

ifindex=3,vrf=0,len=84.... < ---
2025-10-20 12:51:11.268410 ike V=root:0: IKEv2 exchange=AUTH_RESPONSE id=2a1dfb733594570c/5fda9b77bb

78c8a4:00000001 len=80
2025-10-20 12:51:11.268417 ike 0: in 2A1DFB733594570C5FDA9B77BB78C8A42E202320000000010000005029000034F4895E0F27EE4DF4E717EE5849D6269DBB

629590B804EA5BD2BE9A54CA45A3B4CBB0E344601

7D0A327C4A71D7F961C7A
2025-10-20 12:51:11.268450 ike 0:VPN_to_Sophos:10169: dec 2A1DFB733594570C5FDA9B77BB78C8A42E2023200000000100000028290000040000000800000018
2025-10-20 12:51:11.268456 ike V=root:0:VPN_to_Sophos:10169: initiator received AUTH msg
2025-10-20 12:51:11.268460 ike V=root:0:VPN_to_Sophos:10169: received notify type AUTHENTICATION_FAILED < ---

On the Sophos side, it is possible to see the error under Log Viewer with the message 'Couldn't authenticate the remote gateway. Check the authentication settings on both devices (Remote: x.x.x.x)'  <---- Here x.x.x.x is the public IP (Natted IP) of the FortiGate.

To fix this issue, it is required to set the IP of FortiGate interface '198.168.113.178' under Sophos VPN settings -> Remote Gateway ->  Remote ID.