How to config IPSec VPN Site-to-Site between Sophos and Fortinet with WAN IP as static IP

1. The purpose of the article

This article will guide how to configure IPSec VPN Site-to-Site between two firewall devices Sophos XG and Fortinet FG.

2. Diagram

Details:

Site A:

  • We have an internet connection that is connected to port 5 of Sophos XG 85 devices with a static WAN IP of 203.205.26.x using a media converter.
  • Next is the LAN network 172.16.0.0/20 configured at port 1 of Sophos XG 85 devices.

Site B:

  • We have an internet connection that is connected to port WAN1 of Fortinet FG 81E devices with a static WAN IP of 203.205.35.x using a media converter.
  • Next is the LAN network 192.168.1.0/24 configured at port 1 of Fortinet FG 81E devices.

3. Tình huống cấu hình

We will configure IPSec VPN Site-to-Site between Sophos XG 85 and Fortinet FG 81E devices so that the LAN network of both sites is 172.16.0.0/20 and 192.168.1.0/24 can be connected to together.

4. What to do

Fortinet FG 81E:

  • Create VPN Tunnels
  • Create Static Route
  • Create Policy

Sophos XG 85:

  • Create subnet
  • Create IPSec Policies
  • Create IPSec Connection

Result

5. Configuration

5.1. Fortinet FG 81E

5.1.1. Create VPN Tunnels

To create VPN Tunnels go to VPN > IPSec Tunnels > click Create New.

The VPN Create Wizard panel appears and enter the following configuration information:

  • Name: VPN_FG_2SOPHOS
  • Template type: select Custom.
  • Click Next

We will configure the Network table with the following parameters:

  • IP Version: IPv4
  • Remote Gateway: Static IP Address
  • IP Address: enter IP WAN of Sophos XG 85 device 203.205.26.x
  • Interface: select the WAN port of the Fortinet device used to establish the VPN connection. According to the diagram choose WAN1 port
  • Local Gateway: turn off
  • Mode Config: uncheck
  • NAT Traversal: select Disable
  • Dead Peer Detection: select Disable

Authentication panel:

  • Method: select Pre-shared Key
  • Pre-shared Key: enter the password to establish the VPN connection (note that this password must be set the same on both Sophos and Fortinet devices).
  • IKE Version: 1
  • IKE Mode: Main(ID protection)

Phrase 1 Proposal panel:

  • Encryption: AES256
  • Authentication: SHA256
  • Diffe-Hellman Group: select 14
  • Key Liftime (second): 5400

Bảng XAUTH:

  • Type: select Disable

Phrase 2 Selectors panel:

  • Local Address: Select Subnet and enter LAN network 192.168.1.0/24 of Fortinet.
  • Remote Address: Select Subnet enter LAN network 172.16.0.0/20 of Sophos.
  • Click Advanced… to show Phrase 2 Proposal.

Phrase 2 Proposal panel:

  • Encryption: AES128
  • Authentication: SHA256
  • Enable Perfect Forward Secrecy: uncheck
  • Key Lifetime: select Seconds
  • Second: 3600

Click OK to create IPSec Tunnels.

5.1.2. Create Static Routes

We need to create a static route to route the outbound Sophos LAN layer through the VPN connection we just created to the Fortinet firewall device.

To create go to Network > Static Routes and click Create New.

Configure according to the following parameters:

  • Destination: Enter the LAN network of the Sophos XG 85 device as 172.16.0.0/24.
  • Interface: select IPSec tunnels VPN_FG_2_SOPHOS just created.
  • Status: select Enable.
  • Click OK to Save.

5.1.3. Create Policy

We need to create a policy so that the VPN connection can access Fortinet’s LAN and vice versa.

To create the policy go to Policy & Objects> IPv4 Policy and click Create New.

Configure the policy to allow traffic from Fortinet’s LAN network to pass through Sophos’s LAN network according to the following parameters:

  • Name: VPN_FG_2_SOPHOS
  • Incoming Interface: VLAN-KH(it is interface LAN 1)
  • Outgoing Interface: Select VPN Tunnels VPN_FG_2_SOPHOS just created
  • Source: Select VLAN-KH address
  • Destination: Select VLAN_Sophos
  • Service: Select ALL
  • Action: Select ACCEPT
  • Log Allowed Traffic: Turn on and select All Session
  • Enable this policy: ON
  • Click OK to save

Configure the policy to allow traffic from Sophos’ LAN layer to pass through Fortinet’s LAN layer according to the following parameters:

  • Name: VPN_SOPHOS_2_FG
  • Incoming Interface: Select VPN Tunnels VPN_FG_2_SOPHOS just created
  • Outgoing Interface: VLAN-KH(it is interface LAN 1)
  • Source: Select VLAN_Sophos
  • Destination: Select VLAN-KH address
  • Service: Select ALL
  • Action: Select ACCEPT
  • Log Allowed Traffic: Turn on and select All Session
  • Enable this policy: ON
  • Click OK to save

5.2 Sophos XG 85

5.2.1. Create subnet

We will create a subnet for Sophos’s 172.16.0.0/24 LAN network and Fortinet’s 192.168.1.0/24 LAN network.

To create Hosts and services click Add and create following information.

Subnet Sophos:

  • Name: LAN_Q9DQH_HEAD
  • IP Version: IPv4
  • Type: Network
  • IP address: 172.16.0.0 – Subnet: 255.255.240.0
  • Click Save

Subnet Fortinet:

  • Name: LAN_KH_FG
  • IP Version: IPv4
  • Type: Network
  • IP address: 192.168.1.0 – Subnet: 255.255.255.0
  • Click Save

5.2.2. Create IPSec Policies

To create IPSec Policies go to VPN > IPSec policies and click Add.

Configure according to the following parameters.

General Settings panel:

  • Name: VPN_SOPHOS_2_FG
  • Key exchange: IKEv1
  • Authentication mode: Main mode

Phrase 1 panel:

  • Key life: 5400
  • Re-key margin: 360
  • Randomize re-keying margin by: 50
  • DH group (key group): 14 (DH2048)
  • Enccryption: AES256
  • Authentication: SHA2 256

Phrase 2 panel:

  • PFS group (DH group): None
  • Key life: 3600
  • Encryption: AES128
  • Authentication: SHA2 256

Dead Peer Detection panel:

  • Dead Peer Detection: check
  • Check peer after every: 30
  • Wait for response up to: 120
  • When peer unreachable: Re-initiate

Click Save.

5.2.3. Create IPSec Connection

To create go to VPN > IPSec Connection and click Add.

Configure according to the following parameters.

General settings panel:

  • Name: VPN_SOPHOS_2_FG
  • IP version: IPv4
  • Connection type: Site-to-site
  • Gateway type: Initiate the connection
  • Check Create firewall rule

Encryption panel:

  • Policy: select VPN_SOPHOS_2_FG
  • Authentication type: select Preshared key
  • Preshared key: enter the VPN connection password (note it must be the same as the Fortinet device side)
  • Repeat preshared key: re-enter the connection password

Gateway settings panel:

  • Listening interface: select Port5-203.205.26.x
  • Local Subnet: select subnet LAN_Q9DQH_Head just created.
  • Gateway address: enter IP WAN of Fortinet 203.205.35.x
  • Remote subnet: select subnet LAN_KH_FG

Click Save

5.3 Result

Going back to IPSec Connection we will see that the VPN Connection that we just created is not enabled yet.

Click the dot in the Active column and click OK to turn on the VPN connection, at this point the color of the dot will turn green.

You wait for 2 to 3 seconds, the round dot in the Connection column will turn green, meaning the VPN connection between Sophos and Fortinet device has been successfully.

Switching to Fortinet device, you can check whether the VPN connection is successful or not by going to Monitor > IPSec Monitor.

You should see that the VPN connection has been established and that the Incoming Data and Outgoing Data traffic is available.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.