VPN - Site-to-Site Sophos XG v18x - Fritzbox v7.2x

Question

Moin, f&uuml;r alle, die noch eine funktionierende Konfiguration zur VPN-Verbindung zwischen Sophos XG (SFOS 18.0.5 MR-5) und einer Fritzbox (v7.2x) suchen und bisher keine lauff&auml;hige L&ouml;sung gefunden haben. Hier wurde die Verbindung zwischen einer XG-115 und einer Fritzbox 6490 Cable realisiert, diese l&auml;uft bisher einwandfrei. Konfiguration Fritzbox v7.2x 
 Datei aus den folgenden Eintr&auml;gen erstellen, bearbeiten, dann Import in Fritzbox (unter Internet/Freigaben/VPN/VPN-Verbindung hinzuf&uuml;gen/aus Einstellungsdatei): vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = " Name der Verbindung "; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 10.10.10.10 ; remote_virtualip = 0.0.0.0; localid { ipaddr = 20.20.20.20 ; } remoteid { ipaddr = 10.10.10.10 ; } mode = phase1_mode_idp; phase1ss = "dh14/aes/sha"; keytype = connkeytype_pre_shared; key = " Eigener Pre-Shared Key "; cert_do_server_auth = no; use_nat_t = no; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.1.0 ; mask = 255.255.255.0 ; } } phase2remoteid { ipnet { ipaddr = 192.168.2.0 ; mask = 255.255.255.0 ; } } phase2ss = "esp-all-all/ah-none/comp-all/pfs"; accesslist = "permit ip any 192.168.2.0 255.255.255.0 "; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; } 
 Die rot markierten Eintr&auml;ge gegen die eigenen austauschen . 
 
 Konfiguration Sophos XG v18.0.5 MR5: 1. Policy: General settings: Name: Eigene Policy-Bezeichnung Key negotiation tries: 0 Key exchange: IKEv1 Authentication mode: Main mode Re-key connection: ja Pass data in compressed format: nein Phase 1: Key life: 3600 Re-key margin: 360 Randomize re-keying margin by: 50 DH group (key group): 14 (DH2048) Encryption: AES256 Authentication: SHA2 512 Phase 2: PFS group (DH group): Same as phase-1 Key life: 3600 Encryption: AES256 Authentication: SHA2 512 Dead Peer Detection: nein 2. IPsec Connections: General settings: Name: Eigene IPsec-Bezeichnung Connection Type: Site-to-Site Gateway type: Respond only (oder Initiate the Connection) Encryption: Policy: Policyname Authentication type: Preshared key -> Key der Gegenseite verwenden Gateway settings: Listening interface: Port des angeschlossenen DSL-Modem s Gateway address: Eigene &ouml;ffentliche IP-Adresse Local ID type: IP address Remote ID type: IP address Local ID: Eigene &ouml;ffentliche IP-Adresse Remote ID: &ouml;ffentliche IP-Adresse der Gegenseite Local subnet: Eigenes Netzwerk Remote subnet: Netzwerk der Gegenseite 
 Die blauen Eintr&auml;ge in der Sophos XG ausw&auml;hlen bzw. mit eigenen Werten erg&auml;nzen. 
 Sichern und Tunnel aufbauen. Bei mir funktioniert's. &Uuml;rigens: Zur Diagnose hat mir dieser Konsolenbefehl weitergeholfen: Login to SSH > 5. Device Management > 3. Advanced Shell 18.0.5 MR-5# tail -f /log/strongswan.log 
 Viel Erfolg! 
 Gru&szlig; Gerd

emmosophos · Answer

Hello Gerd, 
 Thank you for your contribution to the Sophos Community. 
 I have translated your post to English below: 
 for all those who are still looking for a working configuration for the VPN connection between Sophos XG (SFOS 18.0.5 MR-5) and a Fritzbox (v7.2x) and have not yet found a working solution. Here the connection between an XG-115 and a Fritzbox 6490 Cable was implemented, this has been working perfectly so far. Configuration Fritzbox v7.2x 
 Create a file from the following entries, edit it, then import it into Fritzbox (under Internet / Shares / VPN / VPN connection add / from settings file ): vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = " Name of the connection "; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 10.10.10.10 ; remote_virtualip = 0.0.0.0; localid { ipaddr = 20.20.20.20 ; } remoteid { ipaddr = 10.10.10.10 ; } mode = phase1_mode_idp; phase1ss = "dh14 / aes / sha"; keytype = connkeytype_pre_shared; key = " Own pre-shared key "; cert_do_server_auth = no; use_nat_t = no; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.1.0 ; mask = 255.255.255.0 ; } } phase2remoteid { ipnet { ipaddr = 192.168.2.0 ; mask = 255.255.255.0 ; } } phase2ss = "esp-all-all / ah-none / comp-all / pfs"; accesslist = "permit ip any 192.168.55.0 255.255.255.0"; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; } 
 Replace the entries marked in red with your own . 
 
 Configuration of Sophos XG v18.0.5 MR5: 1. Policy: General settings: Name: Own policy name Key negotiation tries: 0 Key exchange: IKEv1 Authentication mode: Main mode Re-key connection: yes Pass data in compressed format: no Phase 1 : Key life: 3600 Re-key margin: 360 Randomize re-keying margin by: 50 DH group (key group): 14 (DH2048) Encryption: AES256 Authentication: SHA2 512 Phase 2: PFS group (DH group): Same as phase -1 Key life: 3600 Encryption: AES256 Authentication: SHA2 512 Dead Peer Detection: no 2.IPsec Connections: General settings: Name: Own IPsec designation Connection Type: Site-to-Site Gateway type: Respond only (or Initiate the Connection) Encryption: Policy: Policy name Authentication type: pre-shared key -> Key of the other side using gateway settings: Listening interface: port of the connected DSL modem 's gateway address: own public IP address Local ID type: IP address Remote ID type: IP address Local ID: Own public IP address Remote ID: Public IP address of the other side Local subnet: Own network Remote subnet: Network of the other side 
 Select the blue entries in the Sophos XG or add your own values. 
 Secure and build tunnels. It works for me. By the way: This console command helped me with the diagnosis: Login to SSH> 5. Device Management> 3. Advanced Shell 18.0.5 MR-5 # tail -f /log/strongswan.log 
 Regards,

VPN - Site-to-Site Sophos XG v18x - Fritzbox v7.2x

Top Replies