Instructions for configuring IPSec VPN Site-to-Site between Sophos and Draytek with WAN IP as static IP

1. The purpose of the article

The article will show how to configure IPSec VPN Site-to-Site between the Sophos XG firewall device and the Draytek Vigor2925 router.

2. Diagram

Details:

Site A:

  • We have an internet connection on port 5 of the Sophos XG 85 device with a static WAN IP of 203.205.26.x using a media converter.
  • Next is the LAN layer 172.16.0.0/20 configured on port 1 of the Sophos XG 85 device.

Site B:

  • We have the internet-connected at WAN port 1 of the Draytek Vigor2925 router with a static WAN IP of 113.190.242.x using a media converter.
  • Next is the LAN layer 192.168.4.0/24 configured on port 5 of the Draytek Vigor2925 device.

3. Scenario

We will perform IPSec VPN Site-to-Site configuration between two Sophos XG 85 and Draytek Vigor2925 devices so that the LAN layer of both sites 172.16.0.0/20 and 192.168.4.0/24 can be connected together.

4. Step of configuration

On Draytek Vigor2925:

  • Configure Common Settings.
  • Configure Dial-In Settings.
  • Configure TCP/IP Network Settings.

On thiết bị Sophos XG 85:

  • Create subnet
  • Create IPSec Policies
  • Create IPSec Connection

Result

5. Configuration

5.1 On Draytek Vigor2925

To create a VPN connection named Draytek we need to log in to the admin page, then go to VPN and Remote Access > LAN to LAN.

Click on any Index you want to create, here I click on Index 1.

The Profile Index table appears, we will configure the Common Settings, Dial-In Settings, TCP/IP Network Settings sections.

5.1.1 Confgure Common Settings

In this section we will configure the following parameters:

  • Profile Name: VPN_DQCD9
  • Check Enable this profile
  • Call Direction : select Dial-Out ( Draytek device will wait for another device to make incoming VPN connection )
  • Tunnel Mode: select Always on
  • VPN Dial-Out Through: Select WAN1 First and select the IP address of the WAN1 port as 113.190.242.157.
  • Netbios Naming Packet: select Pass
  • Multicast via VPN: Block

5.1.2 Configure Dial-Out Settings

In this section we will configure the following parameters:

  • Type of  Server I am calling: select IPSec Tunnel IKEv1
  • Server IP/Host Name for VPN: Enter Sophos WAN IP address 203.205.26.x.
  • IKE Authentication Method: Select the Pre-Shared Key and enter the password in the box next to it. (Note to remember this password to enter the same for Sophos side)
  • IPSec Security Method: Select High(ESP) and select 3DES with authentication.
  • Then click Advanced, IKE Advanced settings panel appears, we will configure with the following parameters.
  • IKE phrase 1 mode (IKEv1): select Main mode
  • IKE phrase 1 proposal: select 3DES_MD5_G2
  • IKE phrase 2 proposal: select 3DES_MD5
  • IKE phrase 1 key lifetime: 28800
  • IKE phrase 2 key lifetime: 3600
  • Perfect Forward Secret: select Disable.
  • Click OK to save.

5.1.3 Configure TCP/IP Network Settings

In this section we will configure the following parameters:

  • Remote Network IP: Enter Sophos LAN IP 172.16.20.1
  • Remote Network Mask: select 255.255.240.0/20
  • Local Network IP: enter Draytek’s LAN IP as 192.168.4.1
  • Local Network Mask: select 255.255.255.0/24
  • Click OK to save.

Go back to the LAN-to-LAN Profiles panel and select Enable for the newly created index profile and click OK to enable this profile.

5.2 On Sophos XG 85

5.2.1 Create subnet

We will create subnets for 2 network layers 172.16.0.0/24 of Sophos and 192.168.4.0/24 of Draytek.

To create Hosts and services click Add and create according to the following information.

Subnet Sophos:

  • Name: LAN_Q9DQH_HEAD
  • IP Version: IPv4
  • Type: Network
  • IP address: 172.16.0.0 – Subnet: 255.255.240.0
  • Click OK to save

Subnet Draytek:

  • Name: LAN_CNHN_Network
  • IP Version: IPv4
  • Type: Network
  • IP address: 192.168.4.0 – Subnet: 255.255.255.0
  • Click OK to save

5.2.2 Configure IPSec Policies

To create IPSec Policies go to VPN > IPSec policies and click Add.

Configure according to the following parameters.

Tab General Settings:

  • Name: VPN_Draytek_DQ
  • Key exchange: IKEv1
  • Authentication mode: Main mode

Phrase 1:

  • Key life: 28800
  • Re-key margin: 360
  • Randomize re-keying margin by: 50
  • DH group (key group): 2 (DH1024)
  • Enccryption: 3DES
  • Authentication: MD5

Phrase 2:

  • PFS group (DH group): None
  • Key life: 3600
  • Encryption: 3DES
  • Authentication: MD5

Dead Peer Detection:

  • Dead Peer Detection: tích chọn
  • Check peer after every: 30
  • Wait for response up to: 120
  • When peer unreachable: Re-initiate

Click Save.

5.2.3 Configure IPSec Connection

To create it go to VPN > IPSec Connection and click Add.

Configure according to the following parameters.

Tab General settings:

  • Name: VPN_DQH_CNHN
  • IP version: IPv4
  • Connection type: Site-to-site
  • Gateway type: Initiate the connection
  • Check Active on save and Create firewall rule

Tab Encryption:

  • Policy: select VPN_Draytek_DQ
  • Authentication type: select Preshared key
  • Preshared key: enter the VPN connection password (note it must be the same as the Draytek device side)
  • Repeat preshared key: re-enter the connection password

Tab Gateway settings:

  • Listening interface: select Port5-203.205.26.x
  • Local Subnet: select the newly created LAN_Q9DQH_Head subnet.
  • Gateway address: enter Draytek’s WAN IP as 113.190.242.x
  • Remote subnet: select subnet LAN_CNHN_Network

Click Save.

5.3 Result

Going back to IPSec Connection we will see that the VPN Connection we just created is not enabled yet.

Click the dot in the Active column and click OK to turn on the VPN connection, now the color of the dot will turn green.

You wait for about 2 to 3 seconds, then the circle in the Connection column will turn green, which means that the VPN connection between Sophos and Draytek has been successfully connected.

Switch to Draytek device, you can check whether the VPN connection is successful or not by going to VPN and Remote Access > Connection Management.

You will see the VPN connection has been set up, the status of the connection, the time it was connected, etc.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.