Sophos XG
  • 29 Apr 2024
  • 2 Minutes to read
  • Contributors

    Sophos XG

      Article Summary


      This guide will lead you through the steps to establish a Site-to-Site VPN tunnel between your Harmony SASE network and the Sophos XG environment.

      Breakdown of topics

      1. Pre-requisites
      2. Configuration Steps
      3. Verifying the Setup
      4. Troubleshooting
      5. Support Contacts


      To successfully follow this guide, ensure that:

      1. Ensure you have an active Harmony SASE account with an existing network.
      2. The Harmony SASE application should be installed on your devices.
      3. You have an operational Sophos XG setup with the necessary administrative privileges.

      Creating a Harmony SASE Site-to-Site Tunnel

      1. Go to the Gateway in your network from which you want to create the tunnel to the Sophos Firewall.
      2. Select the three-dotted menu (...) and select Add Tunnel.
      3. Select IPSec Site-2-Site Tunnel and select Continue.
      4. Select Single Tunnel, and Click Continue.
      5. Under General Settings, enter the following:
        • Name - Set the name for this Site.
        • Shared Secret - Input a shared secret or select Generate.
        • Public IP and Remote ID- Input your Sophos Firewall Public WAN IP address.
          Double NAT
          If the Sophos firewall is behind another router, please input the local LAN IP of the Sophos under Remote ID (for example,
        • In Harmony SASE Gateway Proposal Subnets Choose your Harmony SASE Network Subnet (By default:, in this screenshot:
        • In Remote Gateway Proposal Subnets, Input your Sophos internal LAN subnet.
      6. At the Advanced Settings section complete the following information:
        • IKE: Version 2 if the Firewall version supports it, IKEv1 otherwise. 
        • IKE Lifetime: 8h
        • Tunnel Lifetime: 1h
        • Dead Peer Detection Delay: 10s
        • Dead Peer Detection Timeout: 30s
        • Encryption (Phase 1): aes256
        • Encryption (Phase 2): aes256
        • Integrity (Phase 1): sha512
        • Integrity (Phase 2): sha512
        • Diffie Hellman Groups (Phase 1): 14
        • Diffie Hellman Groups (Phase 2): 14
      7. Click Add Tunnel.

      Creating a Site-to-Site Tunnel in the Sophos XG Interface

      1. First, open the Sophos XG interface and add a local and remote LAN:
        • Navigate to Hosts and Services > IP Host and select Add to create an object representing your Sophos local network subnet.
        • Go to Hosts and Services > IP Host and select Add to create an object representing Harmony SASE LAN.
      2. Now, we need to create an IPsec VPN connection.
        • Go to VPN > IPsec Connections and select Wizard
        • Give it a name and description.
        • Click Start to follow the wizard.
        • Select Site To Site as a connection type and select Head Office.  

        • Set the Authentication Type to "preshared key". 
        • In the Local Subnet field, choose the local LAN created earlier.   
        • In the Remote Subnet field, choose the remote LAN created earlier.
        • In the User Authentication Mode field, choose Disabled.
        • Review the IPsec connection summary and click Finish.
      3. Click the Status (Active) to activate the connection.
      4. Add two firewall rules allowing VPN traffic.
        • Go to Firewall and click +Add Firewall Rule
        • Create two user/network rules as shown below.
          • The first rule should look like this:

            Click Save.

          • The second rule should look like this:

            Click Save.

      Verifying the Setup

      After following the above steps, your tunnel should be active.
      To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.
      It should indicate that the tunnel is "Up", signifying a successful connection.
      Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.


      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at, or you can email us at We're here to assist you and ensure your VPN tunnel setup is a success.

      Was this article helpful?

      What's Next