Sophos XG Firewall and Firebox Branch Office VPN Integration Guide

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Sophos XG firewall.

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox
    • Fireware v12.10
  • Sophos XG Firewall SFVUNL
    • SFOS 19.5.3 MR-3-Build652

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Sophos XG Firewall.

Screenshot of the topology

Configure the Firebox

To configure a BOVPN connection on a Firebox:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
    The add Branch Office VPN settings page opens.

Screenshot of Firebox, Firebox_001

  1. In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
  2. From the Address Family drop-down list, select IPv4 Addresses.
  3. From the Credential Method section, select Use Pre-Shared Key.
  4. In the adjacent text box, type the pre-shared key.
  5. From the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings (IPv4) dialog box opens.

Screenshot of Firebox, Firebox_002

  1. From the External Interface drop-down list, select External.
  2. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
  3. To specify the local gateway ID for tunnel authentication, select By IP Address.
  4. In the adjacent text box, type the primary IP address of the External Firebox interface.
  5. Select the Remote Gateway tab.

Screenshot of Firebox, Firebox_003

  1. To specify the remote gateway IP address for the tunnel, select Static IP Address.
  2. In the adjacent text box, type the IP address of your Sophos XG firewall WAN connection.
  3. To specify the remote gateway ID for tunnel authentication, select By IP Address.
  4. In the adjacent text box, type the IP address of your Sophos XG firewall WAN connection.
  5. Click OK.
  6. In the Gateway Endpoint section, select the Start Phase 1 Tunnel when Firebox Starts check box.

Screenshot of Firebox, Firebox_004

  1. Select the Phase 1 Settings tab.

Screenshot of Firebox, Firebox_005

  1. From the Version drop-down list, select IKEv2.
  2. Keep the default values for all other Phase 1 settings.
  3. Click Save.
    The Branch Office VPN page opens.

screenshot of Firebox, Firebox_006

  1. From the Tunnels section, click Add.
    The Tunnel settings page opens.

Screenshot of Firebox, Firebox_007

  1. From the Gateway drop-down list, select the gateway. In our example, we use Gateway.1.
  2. From the Addresses section, click Add.
    The Tunnel Route Settings page opens.

Screenshot of Firebox, Firebox_008

  1. From the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox.
  3. From the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This is the local network protected by the Sophos XG Firewall.
  5. From the Direction drop-down list, select bi-directional.
  6. Click OK.

Screenshot of Firebox,Firebox_009

  1. From the Phase 2 Settings tab, keep the default values for all options.

Screenshot of Firebox, Firebox_010

  1. Click Save.

Configure the Sophos XG Firewall

From the Sophos XG Firewall Web UI, configure the Sophos XG firewall.

To configure the Sophos XG Firewall, complete these steps:

  1. Configure Basic Settings
  2. Add IPSec Profiles
  3. IPSec VPN Connection Settings

Configure Basic Settings

To configure the Sophos XG Firewall, configure these basic settings:

  1. Log in to the Sophos XG Firewall Web UI at https://<IP address of the Sophos firewall>. The default URL is https://172.16.16.16:4444.
  2. Configure the interfaces. For information about how to configure interfaces, go to the Sophos XG Firewall documentation. Our example uses192.168.13.3 for the IPv4 address of PortA.

Screenshot of Sophos, Sophos_001

  1. Select Configure > Routing > Gateways.
  2. Verify the gateway status is green.

Screenshot of Sophos, Sophos_002

Add IPSec Profiles

To add IPSec profiles, from the Sophos XG Firewall Web UI:

  1. Select System > Profiles.
  2. Select the IPsec Profiles tab.

Screenshot of Sophos, Sophos_003

  1. Click Add.
    The IPSec Profiles page opens.

Screenshot of Sophos, Sophos_003

  1. In the Name text box, type the object name. In our example, we use BOVPN_IKEv2.
  2. For Key Exchange, select IKEv2.
  3. Select the Re-Key Connection check box.
  4. From the Phase 1 section, from the DH Group (Key Group) drop-down list, select 14 (DH2048).
  5. Delete the other default DH groups.
  6. From the Phase 2 section, from the PFS group (DH group) drop-down list, select 14 (DH2048).
  7. Keep the default values for all other settings.
  8. Click Save.

Screenshot of Sophos, Sophos_005

IPSec VPN Connection Settings

To configure the IPSec VPN connection settings, from the Sophos XG Firewall Web UI:

  1. Select System > Hosts and Services.
  2. Select the IP Host tab.
  3. Click Add.
    The Add IP Host page opens.

Screenshot of Sophos, Sophos_006

  1. In the Name text box, type the object name. In our example, we use Sophos_lan.
  2. For Type, select Network.
  3. In the IP Address text box, type the IP segment.
  4. Keep the default values for all other settings.
  5. Click Save.
  6. Repeat steps 1–8 to create another IP segment.

Screenshot of Sophos, Sophos_007

  1. Select Configure > Site-to-site VPN.
  2. Select the IPsec tab.
  3. From the IPsec Connections section, click Add.
    The Site-to-Site VPN'IPsec settings page opens.

Screenshot of Sophos, Sophos_008

  1. From the General Settings section, in the Name text box, type an object name. In our example, we use wg_connection.
  2. From the Gateway type drop-down list, select Initiate the Connection.
  3. Select the Activate On Save check box.
  4. Keep the default values for all other General Settings.
  5. From the Encryption section, from the Profile drop-down list, select BOVPN_IKEv2. You create this profile in the Add IPsec Profiles section of this document.
  6. From the Authentication Type drop-down list, select Preshared Key.
  7. In the Preshared Key text box, type the pre-shared key.
  8. In the Repeat Preshared Key text box, type the pre-shared key again.
  9. From the Gateway Settings section, from the Listening Interface drop-down list, select PortB - 198.51.100.2.

Screenshot of Sophos, Sophos_009

  1. From the Local Subnet drop-down list, select Sophos_lan.
  2. In the Gateway Address text box, type the WAN IP address of Firebox.
  3. From the Remote Subnet drop-down list, select WG_lan.
  4. Keep the default values for all other settings.
  5. Click Save.
  6. Click OK.

Screenshot of Sophos, Sophos_010

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab, then verify the VPN is established.

Screenshot of Firebox, Sophos_BOVPN_Firebox_Test

  1. Verify that Host1 (behind the Firebox) and Host2 (behind the Sophos XG Firewall) can ping each other.