Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN - Site-to-Site Sophos XG v18x - Fritzbox v7.2x

Moin,

für alle, die noch eine funktionierende Konfiguration zur VPN-Verbindung zwischen Sophos XG (SFOS 18.0.5 MR-5) und einer Fritzbox (v7.2x) suchen und bisher keine lauffähige Lösung gefunden haben. Hier wurde die Verbindung zwischen einer XG-115 und einer Fritzbox 6490 Cable realisiert, diese läuft bisher einwandfrei.

Konfiguration Fritzbox v7.2x

Datei aus den folgenden Einträgen erstellen, bearbeiten, dann Import in Fritzbox (unter Internet/Freigaben/VPN/VPN-Verbindung hinzufügen/aus Einstellungsdatei):

vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "Name der Verbindung";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 10.10.10.10;
remote_virtualip = 0.0.0.0;
localid {
ipaddr = 20.20.20.20;
}
remoteid {
ipaddr = 10.10.10.10;
}
mode = phase1_mode_idp;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "Eigener Pre-Shared Key";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.1.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.2.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 192.168.2.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

Die rot markierten Einträge gegen die eigenen austauschen.

Konfiguration Sophos XG v18.0.5 MR5:

1. Policy:

General settings:
Name: Eigene Policy-Bezeichnung
Key negotiation tries: 0
Key exchange: IKEv1
Authentication mode: Main mode
Re-key connection: ja
Pass data in compressed format: nein

Phase 1:
Key life: 3600
Re-key margin: 360
Randomize re-keying margin by: 50
DH group (key group): 14 (DH2048)
Encryption: AES256
Authentication: SHA2 512

Phase 2:
PFS group (DH group): Same as phase-1
Key life: 3600
Encryption: AES256
Authentication: SHA2 512
Dead Peer Detection: nein

2. IPsec Connections:

General settings:
Name: Eigene IPsec-Bezeichnung
Connection Type: Site-to-Site
Gateway type: Respond only (oder Initiate the Connection)

Encryption:
Policy: Policyname
Authentication type: Preshared key -> Key der Gegenseite verwenden

Gateway settings:
Listening interface: Port des angeschlossenen DSL-Modems
Gateway address: Eigene öffentliche IP-Adresse
Local ID type: IP address
Remote ID type: IP address
Local ID: Eigene öffentliche IP-Adresse
Remote ID: öffentliche IP-Adresse der Gegenseite
Local subnet: Eigenes Netzwerk
Remote subnet: Netzwerk der Gegenseite

Die blauen Einträge in der Sophos XG auswählen bzw. mit eigenen Werten ergänzen.


Sichern und Tunnel aufbauen. Bei mir funktioniert's.

Ürigens: Zur Diagnose hat mir dieser Konsolenbefehl weitergeholfen:

Login to SSH > 5. Device Management > 3. Advanced Shell
18.0.5 MR-5# tail -f /log/strongswan.log

Viel Erfolg!

Gruß Gerd



This thread was automatically locked due to age.
Parents
  • Hello Gerd,

    Thank you for your contribution to the Sophos Community.

    I have translated your post to English below:

    for all those who are still looking for a working configuration for the VPN connection between Sophos XG (SFOS 18.0.5 MR-5) and a Fritzbox (v7.2x) and have not yet found a working solution. Here the connection between an XG-115 and a Fritzbox 6490 Cable was implemented, this has been working perfectly so far.

    Configuration Fritzbox v7.2x

    Create a file from the following entries, edit it, then import it into Fritzbox (under Internet / Shares / VPN / VPN connection add / from settings

    file ): vpncfg {
    connections {
    enabled = yes;
    conn_type = conntype_lan;
    name = " Name of the connection ";
    always_renew = no;
    reject_not_encrypted = no;
    dont_filter_netbios = yes;
    localip = 0.0.0.0;
    local_virtualip = 0.0.0.0;
    remoteip = 10.10.10.10 ;
    remote_virtualip = 0.0.0.0;
    localid {
    ipaddr = 20.20.20.20 ;
    }
    remoteid {
    ipaddr = 10.10.10.10 ;
    }
    mode = phase1_mode_idp;
    phase1ss = "dh14 / aes / sha";
    keytype = connkeytype_pre_shared;
    key = " Own pre-shared key ";
    cert_do_server_auth = no;
    use_nat_t = no;
    use_xauth = no;
    use_cfgmode = no;
    phase2localid {
    ipnet {
    ipaddr = 192.168.1.0 ;
    mask = 255.255.255.0 ;
    }
    }
    phase2remoteid {
    ipnet {
    ipaddr = 192.168.2.0 ;
    mask = 255.255.255.0 ;
    }
    }
    phase2ss = "esp-all-all / ah-none / comp-all / pfs";
    accesslist = "permit ip any 192.168.55.0 255.255.255.0";
    }
    ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
    "udp 0.0.0.0:4500 0.0.0.0:4500";
    }

    Replace the entries marked in red with your own .

    Configuration of Sophos XG v18.0.5 MR5:

    1. Policy:

    General settings:
    Name: Own policy name
    Key negotiation tries: 0
    Key exchange: IKEv1
    Authentication mode: Main mode
    Re-key connection: yes
    Pass data in compressed format: no

    Phase 1 :
    Key life: 3600
    Re-key margin: 360
    Randomize re-keying margin by: 50
    DH group (key group): 14 (DH2048)
    Encryption: AES256
    Authentication: SHA2 512

    Phase 2:
    PFS group (DH group): Same as phase -1
    Key life:3600
    Encryption: AES256
    Authentication: SHA2 512
    Dead Peer Detection: no 2.IPsec

    Connections:

    General settings:
    Name: Own IPsec designation
    Connection Type: Site-to-Site
    Gateway type: Respond only (or Initiate the Connection)

    Encryption:
    Policy: Policy name
    Authentication type: pre-shared key -> Key of the other side using

    gateway settings:
    Listening interface: port of the connected DSL modem 's
    gateway address: own public IP address
    Local ID type:IP address
    Remote ID type: IP address
    Local ID: Own public IP address
    Remote ID: Public IP address of the other side
    Local subnet: Own network
    Remote subnet: Network of the other side

    Select the blue entries in the Sophos XG or add your own values.


    Secure and build tunnels. It works for me.

    By the way: This console command helped me with the diagnosis:

    Login to SSH> 5. Device Management> 3. Advanced Shell
    18.0.5 MR-5 # tail -f /log/strongswan.log

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello Gerd,

    Thank you for your contribution to the Sophos Community.

    I have translated your post to English below:

    for all those who are still looking for a working configuration for the VPN connection between Sophos XG (SFOS 18.0.5 MR-5) and a Fritzbox (v7.2x) and have not yet found a working solution. Here the connection between an XG-115 and a Fritzbox 6490 Cable was implemented, this has been working perfectly so far.

    Configuration Fritzbox v7.2x

    Create a file from the following entries, edit it, then import it into Fritzbox (under Internet / Shares / VPN / VPN connection add / from settings

    file ): vpncfg {
    connections {
    enabled = yes;
    conn_type = conntype_lan;
    name = " Name of the connection ";
    always_renew = no;
    reject_not_encrypted = no;
    dont_filter_netbios = yes;
    localip = 0.0.0.0;
    local_virtualip = 0.0.0.0;
    remoteip = 10.10.10.10 ;
    remote_virtualip = 0.0.0.0;
    localid {
    ipaddr = 20.20.20.20 ;
    }
    remoteid {
    ipaddr = 10.10.10.10 ;
    }
    mode = phase1_mode_idp;
    phase1ss = "dh14 / aes / sha";
    keytype = connkeytype_pre_shared;
    key = " Own pre-shared key ";
    cert_do_server_auth = no;
    use_nat_t = no;
    use_xauth = no;
    use_cfgmode = no;
    phase2localid {
    ipnet {
    ipaddr = 192.168.1.0 ;
    mask = 255.255.255.0 ;
    }
    }
    phase2remoteid {
    ipnet {
    ipaddr = 192.168.2.0 ;
    mask = 255.255.255.0 ;
    }
    }
    phase2ss = "esp-all-all / ah-none / comp-all / pfs";
    accesslist = "permit ip any 192.168.55.0 255.255.255.0";
    }
    ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
    "udp 0.0.0.0:4500 0.0.0.0:4500";
    }

    Replace the entries marked in red with your own .

    Configuration of Sophos XG v18.0.5 MR5:

    1. Policy:

    General settings:
    Name: Own policy name
    Key negotiation tries: 0
    Key exchange: IKEv1
    Authentication mode: Main mode
    Re-key connection: yes
    Pass data in compressed format: no

    Phase 1 :
    Key life: 3600
    Re-key margin: 360
    Randomize re-keying margin by: 50
    DH group (key group): 14 (DH2048)
    Encryption: AES256
    Authentication: SHA2 512

    Phase 2:
    PFS group (DH group): Same as phase -1
    Key life:3600
    Encryption: AES256
    Authentication: SHA2 512
    Dead Peer Detection: no 2.IPsec

    Connections:

    General settings:
    Name: Own IPsec designation
    Connection Type: Site-to-Site
    Gateway type: Respond only (or Initiate the Connection)

    Encryption:
    Policy: Policy name
    Authentication type: pre-shared key -> Key of the other side using

    gateway settings:
    Listening interface: port of the connected DSL modem 's
    gateway address: own public IP address
    Local ID type:IP address
    Remote ID type: IP address
    Local ID: Own public IP address
    Remote ID: Public IP address of the other side
    Local subnet: Own network
    Remote subnet: Network of the other side

    Select the blue entries in the Sophos XG or add your own values.


    Secure and build tunnels. It works for me.

    By the way: This console command helped me with the diagnosis:

    Login to SSH> 5. Device Management> 3. Advanced Shell
    18.0.5 MR-5 # tail -f /log/strongswan.log

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
No Data