How to configure IPSec VPN between Sophos and Fortinet when Sophos device is behind another Sophos device

1.The purpose of the article

In this article, techbast will show you how to configure IPSec VPN Site to site between Sophos Firewall device and Fortinet with Sophos device behind another Sophos Firewall device.

2.Diagram

Details:

Head Office:

  • At the head office site we will have an external and internal firewall model with 2 devices Sophos Firewall 1 is the external firewall and Sophos Firewall 2 is the internal firewall.
  • The internet connection is connected at PortA5 of Sophos Firewall 1 device with IP 42.117.x.x.
  • The LAN network of the Sophos Firewall 1 device is configured at PortA8 with IP 10.84.2.94/29 and has DHCP configured to allocate to devices connected to it.
  • At Sophos Firewall 2 WAN port will be PortA8 and it will be connected to PortA8 of Sophos Firewall 1, PortA8 on Sophos Firewall 2 is set static IP as 10.84.2.90/29 and point gateway to 10.84.2.94/29.
  • Sophos Firewall 2’s LAN is configured at PortA4 with IP 10.84.0.1/16 and has DHCP configured.

Branch office:

  • The internet connection is connected at port wan2 of the Fortinet 800D device with IP 203.205.x.x.
  • The LAN is configured at port5 with IP 192.168.2.0/24 and has DHCP configured to allocate IPs to devices connected to it.

3.Scenario

Based on the above diagram, we will configure IPSec VPN Site to site between the Sophos Firewall 2 device at the Head Office site and the Fortinet 800D device at the Branch Office site so that both LANs of the two sites can communicate with each other.

4.What to do

Sophos Firewall 1:

  • Create profile for IPSec service.
  • Create Profile for Sophos Firewall 2’s WAN IP.
  • Implement NAT IP WAN of Sophos Firewall 2 with IPSec service to internet.

Sophos Firewall 2:

  • Create profile for Local and Remote subnet.
  • Create IPSec policy.
  • Create IPSec connection.
  • Create policy to allow traffic between 2 zones LAN and VPN.
  • Enable PING and HTTPS services on VPN zone.

Fortinet 800D:

  • Create profile for Local and Remote subnet
  • Create VPN tunnels.
  • Create Static Routes.
  • Create Policy.

Result.

5.Configuration.

5.1.Sophos Firewall 1.

5.1.1.Create profile for IPSec service

The IPSec VPN Site to site connection will use the UDP 500 and UDP 4500 ports.

We need to create profiles for these two services.

To create, go to SYSTEM > Hosts and services > Services > click Add.

Create with the following parameters:

  • Name*: IPSec S2S VPN
  • Type*: select TCP/UDP.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 500
  • Press the + icon to add 1 row.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 4500.
  • Click Save.

5.1.2.Create profile for Sophos Firewall 2’s WAN IP.

To create go to SYSTEM > Hosts and services > IP Host > Click Add.

Create with the following information:

  • Name*: Sophos Firewall 2.
  • IP version*: select IPv4.
  • Type*: select IP.
  • IP address*: Enter Sophos Firewall 2’s WAN IP as 10.84.2.90.
  • Click Save.

5.1.3.Implement NAT IP WAN of Sophos Firewall 2 with IPSec service to the internet.

To NAT we go to PROTECT > Rules and policies > Add firewall rule > Server access assistant [DNAT].

After clicking on Server access assistant [DNAT] a configuration panel pops up.

In the Internal server IP address we tick Select IP host and select Sophos Firewall 2 – 10.84.2.90 from the drop-down list.

Click Next.

Under Public IP address, select Select public ip address or WAN interface and select #Port 2 – 42.117.x.x from the drop-down list.

Click Next.

In Service, click Add new item and select IPSec S2S VPN profile.

Click Next.

In External source networks or devices, keep the Any option and click Next.

The last step is to review the previously selected options, if you have selected the correct one, click Save and Finish to complete.

5.2.Sophos Firewall 2

5.2.1. Create profile for Local and Remote subnet

We will create profiles for Local and Remote subnet.

To create, go to SYSTEM > Hosts and Services > IP Host > click Add.

Create a profile for the Local subnet with the following parameters:

  • Name*: SF2_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 10.84.0.0 Subnet /16[255.255.0.0]
  • Click Save.

Similar to the above steps, we will create a profile for the Remote subnet according to the following parameters:

  • Name*: Fortinet_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 192.168.2.0 Subnet /24[255.255.255.0]

Click Save.

5.2.2.Create IPSec policy

Because this is an IPSec VPN connection between two different devices, we need to create a common IPSec policy for both devices.

To create IPSec policies go to CONFIGURE > VPN > IPSec policies > Click Add.

Create an IPSec policy with the following parameters.

General settings:

  • Name: VPN_S2S_Fortinet.
  • Key exchange: IKEv1.
  • Authentication mode: Main mode
  • Tick Re-key connection.

Phrase 1:

  • Key life: 5400.
  • Re-key margin: 360.
  • Randomize re-keying margin by: 50.
  • DH group (key group): 14 (DH2048).
  • Encryption: AES256.
  • Authentication: SHA2 256.

Phrase 2:

  • PFS group (DH group): None.
  • Key life: 3600.
  • Encryption: AES128.
  • Authentication: SHA2 256.

Dead Peer Detection:

  • Dead Peer Detection: Tick.
  • Check peer after every: 30.
  • Wait for response up to: 120.
  • When peer unreachable: Re-initiate.

Nhấn Save để lưu.

5.2.3.Create IPSec connection

To create us go to CONFIGURE > VPN > IPSec connections > click Add.

In General we configure with the following parameters:

  • Name: VPN_SOPHOS_TO_FORTINET.
  • IP version: IPv4.
  • Connection type: Site-to-site.
  • Gateway type: Initiate the connection.
  • Active on save: uncheck.
  • Create firewall rule: uncheck.

In Encryption we configure with the following parameters:

  • Policy: chọn VPN_S2S_Fortinet.
  • Authentication type: select Preshared key.
  • Preshared key: enter the connection password.
  • Repeat preshared key: re-enter the connection password.

In Gateway settings we configure the following parameters:

Local Gateway:

  • Listening interface: select PortA8 – 10.84.2.90.
  • Local ID type: select IP address.
  • Local ID: nhập 10.84.2.90.
  • Local subnet: select profile SF2_LAN.

Remote Gateway:

  • Gateway address: Enter the Fortinet 800D’s WAN IP as 203.205.x.x.
  • Remote ID type: select IP address.
  • Remote ID: enter 203.205.x.x.
  • Remote subnet: select profile Fortinet_LAN.

Click Save.

After clicking Save, the IPSec connection will be created as shown below.

However, this connection is still not enabled, to turn it on, click the circle icon in the Active column and click OK.

Now the circle icon in the Active column turns green, which means that the connection has been successfully turned on.

5.2.4.Create a policy to allow traffic between 2 zones LAN and VPN..

By default, the firewall will block all traffic between zones.

So we need to create a policy to allow traffic to go back and forth between the LAN and VPN zones.

To create, go to PROTECT > Rules and policies > Add firewall rule and create a policy as shown below.

Click Save.

5.2.5.Enable PING and HTTPS services on VPN zone.

By default, the VPN zone will turn off all services

To enable go to SYSTEM > Administration > Device Access.

Select 2 HTTPS and Ping / Ping6 services in the VPN zone row and click Apply to save.

5.3.Fortinet FG 800D

5.3.1.Create profile for Local and Remote subnet

We will create profiles for Local and Remote subnet.

To create, go to Policy & Objects > Addresses > click Create New > Address.

Create a profile for the Remote subnet with the following parameters:

  • Category: Address.
  • Name: LAN_Sophos.
  • Type: Subnet.
  • IP/Netmask: 10.84.0.0/16.
  • Interface: any.
  • Show in address list: enable.
  • Click OK.

Similar to the above steps, we will create a profile for the Local subnet according to the following parameters:

  • Category: Address.
  • Name: 192.168.2.0 address.
  • Type: Subnet.
  • IP/Netmask: 192.168.2.0/24.
  • Interface: any.
  • Show in address list: enable.

Click OK.

5.3.2.Create VPN Tunnels

To create VPN Tunnels go to VPN > IPSec Tunnels > click Create New.

The VPN Create Wizard panel appears and fills in the following configuration information:

  • Name: VPN_FG_2_SOPHOS
  • Template type: select Custom
  • Click Next.

We will configure the Network table with the following parameters:

  • IP Version: IPv4
  • Remote Gateway: Static IP Address
  • IP Address: Enter the WAN IP of the Sophos Firewall 2 device as 42.117.x.x.
  • Interface: Select the WAN port of the Fortinet device used to establish the VPN connection. According to the wan2 port selection diagram
  • Local Gateway: disable
  • Mode Config: uncheck
  • NAT Traversal: select Disable
  • Dead Peer Detection: select Disable

Authentication table:

  • Method: select Pre-sahred Key
  • Pre-shared Key: Enter the password to establish the VPN connection (note that this password must be set the same on both Sophos and Fortinet devices).
  • IKE Version: 1
  • IKE Mode: Main(ID protection)

Phrase 1 Proposal table:

  • Encryption: AES256
  • Authentication: SHA256
  • Diffe-Hellman Group: select 14
  • Key Liftime (second): 5400

XAUTH table:

  • Type: select Disable

Phrase Selectors table:

  • Local Address: Select Subnet and fill in Fortinet’s 192.168.2.0/24 LAN subnet.
  • Remote Address: Select Subnet and enter the LAN subnet 10.84.0.0/16 of Sophos Firewall 2.
  • Click Advanced… to display the Phrase 2 Proposal panel.

Phrase 2 Proposal table:

  • Encryption: AES128
  • Authentication: SHA256
  • Enable Perfect Forward Secrecy: uncheck
  • Key Lifetime: select Seconds
  • Second: 3600

Click OK.

5.3.3.Create Static Routes

We need to create a static route to route the path to the Sophos LAN subnet through the VPN connection we just created for the Fortinet firewall device.

To create go to Network > Static Routes and click Create New.

Configure according to the following parameters:

  • Destination: Enter the LAN subnet of the Sophos Firewall 2 device as 10.84.0.0/16.
  • Interface: select IPSec tunnels VPN_FG_2_SOPHOS just created.
  • Status: select Enable.
  • Click OK.

5.3.4.Create Policy

We need to create a policy so that the VPN connection can access Fortinet’s LAN and vice versa.

To create a policy go to Policy & Objects > IPv4 Policy and click Create New.

Configure the policy to allow traffic from Fortinet’s LAN subnet to pass through Sophos’ LAN subnet according to the following parameters:

  • Name: VPN_FG_2_SOPHOS
  • Incoming Interface: choose Floor B (192.168.2.0) ie port5 of Fortinet
  • Outgoing Interface: Select VPN Tunnels VPN_FG_2_SOPHOS just created
  • Source: Select profile 192.168.2.0 address
  • Destination: Select profile LAN_Sophos
  • Service: select ALL
  • Action: select ACCEPT
  • Log Allowed Traffic: enable and select All Session
  • Enable this policy: ON
  • Click OK

Configure the policy to allow traffic from Sophos’ LAN subnet to pass through Fortinet’s LAN subnet according to the following parameters:

  • Name: VPN_SOPHOS_2_FG
  • Incoming Interface: select VPN Tunnels VPN_FG_2_SOPHOS just created
  • Outgoing Interface: Choose Floor B(192.168.2.0) ie port5 of Fortinet
  • Source: select profile LAN_Sophos
  • Destination: select profile 192.168.2.0 address
  • Service: select ALL
  • Action: select ACCEPT
  • Log Allowed Traffic: enable and select All Session
  • Enable this policy: ON
  • Click OK

5.4.Result.

To enable IPSec connection between two devices, go to Sophos Firewall > CONFIGURE > VPN > IPSec connections.

We notice the circle icon in the Connection column of the IPSec VPN connection we created earlier is red, meaning the connection has not been established to the Fortinet 800D device.

To set up, left-click on the circle icon in the Connection column and click Yes.

This circle icon will turn green, which means we have successfully established the IPSec VPN connection between the two devices.

On the Fortinet 800D device we will also see that the VPN_FG_2_SOPHOS tunnel is UP.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.