---
title: "Sophos XG"
slug: "sophos-xg"
updated: 2026-04-07T09:05:20Z
published: 2026-04-07T09:05:20Z
canonical: "support.perimeter81.com/sophos-xg"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sophos XG

<meta charset="utf-8">

## Introduction

This guide will lead you through the steps to establish a Site-to-Site VPN tunnel between your Check Point SASE network and the Sophos XG environment.

**Breakdown of topics**

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

## Pre-requisites

To successfully follow this guide, ensure that:

1. Ensure you have an active Check Point SASE account with an existing network.
2. The Check Point SASE application should be installed on your devices.
3. You have an operational Sophos XG setup with the necessary administrative privileges.

## Creating a Check Point SASE Site-to-Site Tunnel

1. Go to the Gateway in your network from which you want to create the tunnel to the Sophos Firewall.
2. Select the three-dotted menu (...) and select **Add Tunnel.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-06-02_at_5_53_13_PM.png)
3. Select **IPSec Site-2-Site Tunnel** and select **Continue.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.56.11%20PM.png)
4. Select **Single Tunnel,**and****Click**Continue.**  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.57.33%20PM.png)
5. In the **General Settings** section, specify these :
  - **Name** - Set the name for this Site.
  - **Shared Secret** - Enter a shared secret or select **Generate**.
  - **Public IP** and **Remote ID**- Enter your Sophos Firewall Public WAN IP address.Double NATIf the Sophos firewall is behind another router, enter the local LAN IP of the Sophos under **Remote****ID** (for example 192.168.1.2),
  - In **Check Point SASE Gateway Proposal Subnets**, choose****your**Check Point SASE Network Subnet**.
  - In **Remote Gateway Proposal Subnets**, enter your Sophos internal LAN subnet.
6. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Barracuda_General(5).PNG)In the **Advanced Settings** section, specify these:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Sophos_v2_512_2048.PNG)<meta charset="utf-8">
  - **IKE****Version****:** V2 if the Firewall version supports it, V1 otherwise.
  - **IKE Lifetime:**8h
  - **Tunnel Lifetime:**1h
  - **Dead Peer Detection Delay:**10s
  - **Dead Peer Detection Timeout:** 30s
  - **Phase 1**:
    - **Encryption (Phase 1):** aes256
    - **Integrity (Phase 1):** sha512
    - **Key Exchange Method:**modp2048
  - **Phase 2**:
    - **Encryption (Phase 2):** aes256
    - **Integrity (Phase 2):**sha512
    - **Key Exchange Method****:**modp2048
7. Click **Add Tunnel**.

## Creating a Site-to-Site Tunnel in the Sophos XG Interface

1. First, open the Sophos XG interface and add a local and remote LAN:
  - Navigate to **Hosts and Services** > **IP Host** and select **Add**to create an object representing your Sophos local network subnet.   
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/unnamed(1).png)
  - Go to **Hosts and Services** > **IP Host**and select **Add** to create an object representing Check Point SASE LAN.   
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/unnamed%20(1)(1).png)
2. Now, we need to create an IPsec VPN connection.
  - Go to **VPN** > **IPsec Connections** and select **Wizard**.    
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(14).png)
  - Give it a name and description.   
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(40).png)
  - Click **Start**to follow the wizard.   
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(41).png)
  - Select **Site To Site** as a connection type and select **Head Office**.     
   
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(43).png)
  - Set the **Authentication Type** to "preshared key".    
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(44).png)
  - In the **Local Subnet** field, choose the local LAN created earlier.   ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(45).png)
  - In the **Remote Subnet** field, choose the remote LAN created earlier.   
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(46).png)
  - In the **User Authentication Mode** field, choose **Disabled**.
  - Review the IPsec connection summary and click **Finish**.
3. Click the **Status**(Active) to activate the connection.   
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(47).png)
4. Add two firewall rules allowing VPN traffic.
  - Go to **Firewall**and click **+Add Firewall Rule**.    
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(48).png)
  - Create two user/network rules as shown below.
    - The first rule should look like this**:**  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(33).png)![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(34).png)

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(35).png)Click **Save**.
    - The second rule should look like this:

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(36).png)

![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(37).png)![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image(39).png)Click **Save**.

<meta charset="utf-8">

## Verifying the Setup

After following the above steps, your tunnel should be active. To verify, go to your Check Point SASE dashboard, locate the tunnel you just created, and check the tunnel status. It should indicate that the tunnel is "Up", signifying a successful connection. Next, connect to your network using the Check Point SASE agent and attempt to access one of the resources in your environment.

## Troubleshooting

If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

## Support Contacts

If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.