Sophos XG Firewall and Firebox Branch Office VPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Sophos XG firewall.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55
    • Fireware v12.7.1
  • Sophos XG Firewall SFVUNL
    • SFOS 18.0.5 MR-8

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Sophos XG Firewall.

Topology diagram

Configure the Firebox

On the Firebox, configure a BOVPN connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screenshot of Firebox, diagram12

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
  4. Select By IP Address.
  5. In the adjacent text box, type the primary IP address of the External Firebox interface.

Screenshot of Firebox, diagram13

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Sophos XG firewall WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Sophos XG firewall WAN connection.

Screenshot of Firebox, diagram14

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.

Screenshot of Firebox, diagram15

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screenshot of Firebox, diagram16

  1. Click Save.
  2. In the Tunnels section, click Add.

screenshot of Firebox, diagram17

  1. From the Gateway drop-down list, select the gateway. In our example, the gateway is named gateway.1.
  2. In the Addresses section, click Add.

Screenshot of Firebox, diagram18

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This is the local network protected by the Sophos XG Firewall

Screenshot of Firebox, diagram19

  1. Click OK.

Screenshot of Firebox, diagram20

  1. Keep Phase 2 Settings as the default values.

Screenshot of Firebox, diagram21

  1. Click Save.

Configure the Sophos XG Firewall

Basic Settings

  1. Log in to the Sophos XG Firewall Web UI at https://<IP address of the Sophos firewall>. In our example, the default IP address is 172.16.16.16:4444.
  2. Configure the interfaces. For information about how to configure interfaces, see the Sophos XG Firewall documentation.

Screenshot of Sophos, diagram13

  1. Select Configure > Routing > Gateways.
  2. Verify the gateway status is on (green).

Screenshot of Sophos, diagram14

Policy Settings

  1. Select Configure > VPN > IPsec policies.
  2. In the IPsec policies section, click Add.
  3. In the Name text box, type the object name. In our example, the name is WG with Sophos.
  4. In the Phase 1 section, from the DH group drop-down list, select 14 (DH2048).
  5. Delete the other default DH groups.
  6. Keep the default values for all other settings.

Screenshot of Sophos, diagram15

Screenshot of Sophos, diagram16

  1. Click Save.

Screenshot of Sophos, diagram17

IPsec VPN Connection Settings

  1. Select System > Hosts and services > IP host.
  2. Click Add.
  3. In the Name text box, type the object name. In our example, the name is Sophos_lan.
  4. For Type, select Network.
  5. In the IP address text box, type the IP segment.
  6. Keep the default values for all other settings.

Screenshot of Sophos, diagram18

  1. Click Save.
  2. Repeat steps 1–7 to create another IP segment.

Screenshot of Sophos, diagram19

  1. Select Configure > VPN > IPsec connections.
  2. In the IPsec connections section, click Add.
  3. In the General settings section, type an object name in the Name text box. In our example, the name is wg_connection.
  4. From the Gateway type drop-down list, select Initiate the connection.
  5. Select Activate on save.
  6. Keep the default values for all other General settings.
  7. In the Encryption section, from the Policy drop-down list, select WG with Sophos.
  8. From the Authentication type drop-down list, select Preshared key.
  9. In the Preshared Key text box, type the pre-shared key.
  10. In the Repeat preshared Key text box, type the pre-shared key again.

Screenshot of Sophos, diagram20

  1. In the Gateway settings section, from the Listening interface drop-down list, select PortB - 198.51.100.2.
  2. From the Local subnet drop-down list, select Sophos_lan.
  3. In the Gateway address text box, type the WAN IP address of Firebox.
  4. From the Remote subnet drop-down list, select WG_lan.
  5. Keep the default value for all other settings.

Screenshot of Sophos, diagram21

  1. Click Save.
  2. Click OK.

Screenshot of Sophos, diagram22

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab and verify the VPN is established.

Screenshot of Firebox, diagram22

  1. Verify that Host1 (behind the Firebox) and Host2 (behind the Sophos XG Firewall) can ping each other.