Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Can't establish a IPSEC tunnel btw Sophos XG and Fortigate

Hello there.
I have doing some labs and until now I have achieved to make a Sophos-Sophos and Forti-Forti Ipsec tunnel. However I am trying to make a Sophos XG-Fortigate IPSEC tunnel but my tunnel does not wake up.

I have followed this guide and configure my tunnel according to it.

Can you help me to fix this?

Edited TAGs
[edited by: emmosophos at 5:00 PM (GMT -7) on 24 Jun 2024]
  • Hi @Luis Antonio Usquiano,

    On XG, check /log/charon.log (from CLI), if you see only below log if the IPsec tunnel is set to Initiator, most likely some configs need to be checked on Fortigate; even with single config missing on Fortigate, it will not respond to the packet from XG.

    sending packet: from <ip address of XG>[500] to <ip address of Fortigate>[500]

    On Fortigate, Your policy config(these are the packet forwarding rules) should look like below:

    Policy & Objects: IPv4 policy: 

    Incoming interface: LAN port of Fortigate where is configured.

    Outgoing interface: WAN port of Fortigate talking to XG

    Action: this should have IPSec option, once IPsec is chosen, you will be prompted to enter the tunnel name - chose the tunnel name; also turn ON 'Allow traffic to be initiated from remote side' option (this will serve as packet filtering policy from WAN to LAN side on Fortigate)

    To have IPsec option in the Action, Enable this on Fortigate:  From System : Feature Select : Additional Features : Policy-based IPsec VPN

  • I believe Authentication failure is due to the below misconfig:

    I am assuming Fortigate (Initiator) is behind ISP (NAT router),  packet from Fortigate is with ip - (this is the wan ip of Fortigate and also what you had configured on remote gw of SFOS) and Fortigate's internal ip ( is being used as an id during authentication, but since id is not configured on SFOS, it says 'no matching confing found'

    On SFOS' IPsec config, set 'Remote ID type' to 'IP address' + 'Remote ID' to

    Also, keep NAT traversal enabled in the IPsec config (under Network) of Fortiage (not a strict recommendation, but advised)

    On Fortigate, you don't have UI option to set id, this has to be set via cli, you don't have to use these commands, but giving it for reference

    All the below CLIs are on Fortigate.

    # config vpn ipsec phase1

    (phase1) # edit <tunnel name>

    (tunnel name) # set localid-type address

    #show vpn ipsec phase1 <tunnel name>  --> this will tell what all the config present for IPsec tunnel

Reply Children