Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tonylin1
Staff
Staff

Created on ‎06-28-2022 09:48 PM Edited on ‎02-25-2025 10:08 PM By Community Manager

Article Id 216197

Technical Tip: How to setup IPSEC VPN between FortiGate and Sophos when FortiGate is behind NAT

Description

This article describes how to set up an IPSEC VPN between FortiGate and Sophos when FortiGate is behind NAT.
Scope FortiGate.
Solution

Example of topology:

FortiGate(WAN1) 1.1.1.1<--> SNAT x.x.x.x <-> Internet <-> y.y.y.y Sophos

 

FortiGate uses 1.1.1.1 as a private IP address and SNAT to x.x.x.x as a public IP. Sophos using y.y.y.y as a public IP.

 

Note.

All the pre-shared key (PSK) and proposals are the same between FortiGate and Sophos.

 

FortiGate IPSEC settings Phase1.

 

set interface "wan1"

set remote gateway y.y.y.y

 

Sophos IPSEC settings Phase1.

 

remote x.x.x.x

 

Troubleshooting on FortiGate.

 

Phase1 is up but the tunnel is not up and FortiGate IKE debug is shown with the keyword 'INVALID-ID-INFORMATION'.

 

Set up 1.1.1.1 in the VLAN ID (optional) on Sophos side to make IPsec tunnel up.

 

截圖 2022-06-24 上午11.53.31.png

 

If phase-1 is not coming up and in the IKE debug 'received notify type AUTHENTICATION_FAILED' error is observed, define the remote-id on the Sophos as shown below.

 

sophos.png
3114
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.