Site to Site VPN sophos XG to fortigate


i am trying to establish a site to site vpn between my main site running sophos xg and a remote site running a fortigate (behind a firewall)

obviously, the remote site needs to be the one that "calls" the main site.

both sides do not have static ip addresses and rely on dynamic dns hostnames.

whatever i do i cannot get the tunnel established although i repeatedly checked the settings are the same on each site.

same encryption, same DH, etc.

would love some help, if someone has screenshots to share - that would be awesome 

  • In reply to Avi Bar Ilan:

    Which Authentication method do you use? 

    Can you post some screenshots? 

  • In reply to LuCar Toni:


    thank you for your response.

    i sort of managed to get the tunnel up.


    out of the 4 subnets i included in the tunnel,

    only 1 get a connection (attached screenshot)

    i have firewall rules that allow all 4 subnets on both sides.

    what am i missing?


  • In reply to Avi Bar Ilan:

    I would say, something is not correct configured on Forti site. 

  • In reply to LuCar Toni:

    its definitely not a problem on the branch office fortigate device and i'll tell you why:

    before switching the HQ fortigate device with a sophos device, we had a fortigate device in the main office as well as in the branch office.

    we had a vpn tunnel working perfectly with all subnets running just fine over the tunnel.

    when we switched to sophos in the main office, we have changed the vpn settings on the branch office deivce to mach the one on the sophos device.

    so, the only thing that has changed is the sophos that replaced the fortigate on the main office. before that, the branch office device had a perfect vpn tunnel with the main office.

  • In reply to Avi Bar Ilan:

    I do not know, how to configure a forti, but as far as i can tell, the forti is not properly using all SAs, instead using only one SA. 

    If you check the charon.log on CLI, you should see, that the forti is not building up the other SAs. 

    Or try the GES MER in my Signature to dig deeper. 

  • In reply to LuCar Toni:



    something doesnt make sense to me.

    here is a screenshot of a tracert from the server in the brach office to one of the devices on the main office side.

    (on of the vlans that has a red indicator in the above screenshot)

    it clearly shows that the fortigate is pushing the traffic out correctly. 

    seems like the traffic is lost on the sophos side

  • In reply to Avi Bar Ilan:

    But still not clear, how the SA are missing on XG? 

    I mean, you have to deploy a SA for each Network pinning. 



    If Fortinet uses other technologies to implement some kind of NAT, then you have to configure this properly. 

    But at the moment, only 1 of 4 SAs are correct published. Therefore XG will not push any traffic to those non existing Networks (because the SA and SPI is missing). 

    We are using the SAs to publish the routes. Therefore we need the correct SA. 

  • In reply to Avi Bar Ilan:

    Hello, Do you Solved it? We have the same problem the last Weekend. The problem was on the fotigate VPN Phases, Yo sould declare the networks that you need to be received by fortigate. 

  • In reply to Avi Bar Ilan:

    Yes I agree to some others - I assume the config of the fortigate is wrong: The fortigate - fortigate IPSec connection can use some wildcard network connections and don't need to define every network on phase 2. If you define a phase 2 for all networks on the sophos this probably will work.

  • In reply to BeEf:

    On my own case in the second phase of the Fortinet's VPN I declared as a all network permited, so when we established the VPN from Sophos we have seen that only one network came up then we declared each network for example. I Hope that this help you.