VPN - Site-to-Site Sophos XG v18x - Fritzbox v7.2x

Hello Gerd,

Thank you for your contribution to the Sophos Community.

I have translated your post to English below:

for all those who are still looking for a working configuration for the VPN connection between Sophos XG (SFOS 18.0.5 MR-5) and a Fritzbox (v7.2x) and have not yet found a working solution. Here the connection between an XG-115 and a Fritzbox 6490 Cable was implemented, this has been working perfectly so far.

Configuration Fritzbox v7.2x

Create a file from the following entries, edit it, then import it into Fritzbox (under Internet / Shares / VPN / VPN connection add / from settings

file ): vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = " Name of the connection ";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 10.10.10.10 ;
remote_virtualip = 0.0.0.0;
localid {
ipaddr = 20.20.20.20 ;
}
remoteid {
ipaddr = 10.10.10.10 ;
}
mode = phase1_mode_idp;
phase1ss = "dh14 / aes / sha";
keytype = connkeytype_pre_shared;
key = " Own pre-shared key ";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.1.0 ;
mask = 255.255.255.0 ;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.2.0 ;
mask = 255.255.255.0 ;
}
}
phase2ss = "esp-all-all / ah-none / comp-all / pfs";
accesslist = "permit ip any 192.168.55.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

Replace the entries marked in red with your own .

Configuration of Sophos XG v18.0.5 MR5:

1. Policy:

General settings:
Name: Own policy name
Key negotiation tries: 0
Key exchange: IKEv1
Authentication mode: Main mode
Re-key connection: yes
Pass data in compressed format: no

Phase 1 :
Key life: 3600
Re-key margin: 360
Randomize re-keying margin by: 50
DH group (key group): 14 (DH2048)
Encryption: AES256
Authentication: SHA2 512

Phase 2:
PFS group (DH group): Same as phase -1
Key life:3600
Encryption: AES256
Authentication: SHA2 512
Dead Peer Detection: no 2.IPsec

Connections:

General settings:
Name: Own IPsec designation
Connection Type: Site-to-Site
Gateway type: Respond only (or Initiate the Connection)

Encryption:
Policy: Policy name
Authentication type: pre-shared key -> Key of the other side using

gateway settings:
Listening interface: port of the connected DSL modem 's
gateway address: own public IP address
Local ID type:IP address
Remote ID type: IP address
Local ID: Own public IP address
Remote ID: Public IP address of the other side
Local subnet: Own network
Remote subnet: Network of the other side

Select the blue entries in the Sophos XG or add your own values.

Secure and build tunnels. It works for me.

By the way: This console command helped me with the diagnosis:

Login to SSH> 5. Device Management> 3. Advanced Shell
18.0.5 MR-5 # tail -f /log/strongswan.log

Regards,

Hello Gerd,

Thank you for your contribution to the Sophos Community.

I have translated your post to English below:

for all those who are still looking for a working configuration for the VPN connection between Sophos XG (SFOS 18.0.5 MR-5) and a Fritzbox (v7.2x) and have not yet found a working solution. Here the connection between an XG-115 and a Fritzbox 6490 Cable was implemented, this has been working perfectly so far.

Configuration Fritzbox v7.2x

Create a file from the following entries, edit it, then import it into Fritzbox (under Internet / Shares / VPN / VPN connection add / from settings

file ): vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = " Name of the connection ";
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 10.10.10.10 ;
remote_virtualip = 0.0.0.0;
localid {
ipaddr = 20.20.20.20 ;
}
remoteid {
ipaddr = 10.10.10.10 ;
}
mode = phase1_mode_idp;
phase1ss = "dh14 / aes / sha";
keytype = connkeytype_pre_shared;
key = " Own pre-shared key ";
cert_do_server_auth = no;
use_nat_t = no;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 192.168.1.0 ;
mask = 255.255.255.0 ;
}
}
phase2remoteid {
ipnet {
ipaddr = 192.168.2.0 ;
mask = 255.255.255.0 ;
}
}
phase2ss = "esp-all-all / ah-none / comp-all / pfs";
accesslist = "permit ip any 192.168.55.0 255.255.255.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

Replace the entries marked in red with your own .

Configuration of Sophos XG v18.0.5 MR5:

1. Policy:

General settings:
Name: Own policy name
Key negotiation tries: 0
Key exchange: IKEv1
Authentication mode: Main mode
Re-key connection: yes
Pass data in compressed format: no

Phase 1 :
Key life: 3600
Re-key margin: 360
Randomize re-keying margin by: 50
DH group (key group): 14 (DH2048)
Encryption: AES256
Authentication: SHA2 512

Phase 2:
PFS group (DH group): Same as phase -1
Key life:3600
Encryption: AES256
Authentication: SHA2 512
Dead Peer Detection: no 2.IPsec

Connections:

General settings:
Name: Own IPsec designation
Connection Type: Site-to-Site
Gateway type: Respond only (or Initiate the Connection)

Encryption:
Policy: Policy name
Authentication type: pre-shared key -> Key of the other side using

gateway settings:
Listening interface: port of the connected DSL modem 's
gateway address: own public IP address
Local ID type:IP address
Remote ID type: IP address
Local ID: Own public IP address
Remote ID: Public IP address of the other side
Local subnet: Own network
Remote subnet: Network of the other side

Select the blue entries in the Sophos XG or add your own values.

Secure and build tunnels. It works for me.

By the way: This console command helped me with the diagnosis:

Login to SSH> 5. Device Management> 3. Advanced Shell
18.0.5 MR-5 # tail -f /log/strongswan.log

Regards,