June 19, 2026

Create a Site-to-Site VPN between Sophos and FortiGate

A step-by-step guide to building an IPsec IKEv2 Site-to-Site VPN tunnel between a Sophos XGS and a FortiGate firewall.

Introduction

Cross-vendor VPN tunnels are one of those tasks that look simple on paper but have plenty of room for silent misconfiguration. Sophos and FortiGate are both common in enterprise environments, and it’s not unusual to need a tunnel between them — whether you’re connecting a branch office, integrating with a partner network, or migrating between platforms.

IPsec IKEv2 is the standard we’ll use here. Both vendors support it well, but the terminology and UI are different enough that matching settings between them requires attention. A mismatch in any Phase 1 or Phase 2 parameter will cause the tunnel to fail without a clear error on either side.

In this guide, we’ll walk through the full configuration on both firewalls — from IKE proposals to firewall policies — using the following example topology:

TypeSite A — FortiGateSite B — Sophos XGS
LAN subnet192.168.1.0/24192.168.2.0/24
WAN IP203.0.113.1198.51.100.1

1. Shared IKE/IPsec Parameters

Before touching either firewall, lock down the parameters that must match on both sides. Any drift here and the tunnel will not come up.

IKE Version  : IKEv2
Auth Method  : Pre-Shared Key (PSK)

# Phase 1 (IKE SA)
Encryption   : AES-256
Integrity    : SHA-256
DH Group     : Group 14 (2048-bit)
Lifetime     : 28800 seconds (8 hours)

# Phase 2 (IPsec SA)
Encryption   : AES-256
Integrity    : SHA-256
PFS Group    : Group 14
Lifetime     : 3600 seconds (1 hour)

Pick a strong PSK and keep it out of your notes app. A password manager entry is fine; a sticky note is not.

2. FortiGate Configuration

Phase 1

Go to VPN > IPsec Tunnels > Create New > Custom VPN Tunnel.

Name            : TO_SOPHOS
Remote Gateway  : Static IP — 198.51.100.1
Interface       : wan1
IKE Version     : 2
Auth Method     : Pre-shared Key
PSK             : <your-psk>

Encryption      : AES256
Authentication  : SHA256
DH Group        : 14
Lifetime        : 28800

Under Advanced, disable NAT Traversal if both peers have static public IPs — it removes unnecessary overhead.

Phase 2

Still inside the same tunnel wizard, add a Phase 2 selector:

Name            : TO_SOPHOS_P2
Local Address   : 192.168.1.0/24
Remote Address  : 192.168.2.0/24

Encryption      : AES256
Authentication  : SHA256
Enable PFS      : Yes — DH Group 14
Keylifetime     : 3600

Static Route

Go to Network > Static Routes > Create New:

Destination : 192.168.2.0/24
Gateway     : (leave blank — tunnel interface routes handle this)
Interface   : TO_SOPHOS
Distance    : 10

Firewall Policies

You need two policies — one for each direction. Go to Policy & Objects > Firewall Policy:

Outbound (LAN → VPN):

Name            : LAN_TO_SOPHOS
Incoming        : internal (or your LAN interface)
Outgoing        : TO_SOPHOS
Source          : 192.168.1.0/24
Destination     : 192.168.2.0/24
Action          : ACCEPT
NAT             : Disabled

Inbound (VPN → LAN):

Name            : SOPHOS_TO_LAN
Incoming        : TO_SOPHOS
Outgoing        : internal
Source          : 192.168.2.0/24
Destination     : 192.168.1.0/24
Action          : ACCEPT
NAT             : Disabled

Note: make sure NAT is off on both policies. It’s easy to miss since FortiGate enables it by default on new policies, and NATing tunnel traffic will break routing silently.

3. Sophos XGS Configuration

IPsec Connection

Go to Site-to-site VPN > IPsec > Add:

Name              : TO_FORTIGATE
Connection type   : Site-to-site
Gateway type      : Respond only  (or Initiate — pick one side to initiate)
Authentication    : Preshared key
PSK               : <same psk>

Remote gateway    : 203.0.113.1
Local interface   : WAN (your external interface)

Under Encryption:

# Phase 1
Key exchange      : IKEv2
Encryption        : AES256
Authentication    : SHA2 256
DH group          : 14
SA lifetime       : 28800

# Phase 2
Encryption        : AES256
Authentication    : SHA2 256
PFS group         : 14
SA lifetime       : 3600

Under Local network and Remote network:

Local networks    : 192.168.2.0/24
Remote networks   : 192.168.1.0/24

Save and activate the connection.

Firewall Rules

Go to Rules and policies > Firewall rules. Add two rules:

Outbound (LAN Zone → VPN Zone):

Source zone       : LAN
Destination zone  : VPN
Source networks   : 192.168.2.0/24
Destination nets  : 192.168.1.0/24
Action            : Accept

Inbound (VPN Zone → LAN Zone):

Source zone       : VPN
Destination zone  : LAN
Source networks   : 192.168.1.0/24
Destination nets  : 192.168.2.0/24
Action            : Accept

Note: Sophos assigns tunnel traffic to the VPN zone automatically once an IPsec connection is active. If you don’t see VPN as a zone option, check that the IPsec connection is saved and enabled first.

4. Verifying the Tunnel

FortiGate

From the CLI, bring up the tunnel and check its status:

# Bring up the tunnel manually
diagnose vpn ike gateway list name TO_SOPHOS

# Check Phase 2 SAs
diagnose vpn tunnel list name TO_SOPHOS

# Ping across the tunnel from the FortiGate itself
execute ping-options source 192.168.1.1
execute ping 192.168.2.1

A healthy output for the gateway list will show established and the remote peer IP confirmed.

Sophos

Go to Current activities > IPsec connections — the tunnel should show Active with a green indicator.

From the CLI (SSH into Sophos):

# Show active IPsec SAs
ipsec statusall

# Ping across the tunnel
ping -I 192.168.2.1 192.168.1.1

Look for ESTABLISHED in the IKE SA output and INSTALLED for the child SA (Phase 2). If either is missing, the mismatch is almost always in the Phase 1 or Phase 2 proposals.

Summary

By following this guide:

  1. You have matching IKEv2 Phase 1 and Phase 2 proposals on both firewalls — the most common point of failure.
  2. You have bidirectional firewall policies on both sides with NAT disabled.
  3. You know the CLI commands to verify each SA independently, which cuts down troubleshooting time significantly.