Sophos XG Firewall and Firebox Branch Office VPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Sophos XG firewall.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55
    • Fireware version 12.5.2
  • Sophos XG Firewall SFVUNL
    • SFOS 17.5.8 MR-8

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Sophos XG firewall.

Topology

Configure the Firebox

On the Firebox, configure a BOVPN connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screen shot of the General Settings tab

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
  4. Select By IP Address.
  5. In the adjacent text box, type the primary IP address of the External Firebox interface.

Screen shot of the local gateway settings

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Sophos XG firewall WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Sophos XG firewall WAN connection.

Screen shot of the completed Gateway Endpoint settings

  1. Click OK.
  2. In the Gateway Endpoint section, check the Start Phase 1 tunnel when Firebox starts check box.
  3. Select the Phase 1 Settings tab.
  4. From the Version drop-down list, select IKEv2.
  5. Keep all other Phase 1 settings as the default values.

Screen shot of the completed Gateway Endpoint settings

  1. Click Save.
  2. In the Tunnels section, click Add.

screenshot of firebox, picture 7, tunnels

  1. From the Gateway drop-down list, select gateway. 1.
  2. In the Addresses section, click Add.

Screen shot of the Addresses tab

  1. In the Local IP section, from the Choose Type drop-down list, select Host IPv4 or Network IPv4. In our example, we specify Network IPv4.
  2. In the Network IP text box, type the local IP segment. This IP address is the internal IP address which VPN protected.
  3. In the Remote IP section, from the Choose Type drop-down list, select Host IPv4 or Network IPv4. In our example, we specify Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This IP address is the internal IP address which VPN protected.

Screen shot of the tunnel route settings

  1. Click OK.

Screen shot of the Addresses tab

  1. Keep Phase 2 Settings as the default values.

Screen shot of the Phase 1 settings

  1. Click Save.

Configure the Sophos XG Firewall

Basic Settings

  1. Log on to the Sophos XG Firewall Web UI at https://<IP address of the Sophos firewall>. In our example, the default IP address is 172.16.16.16:4444.
  2. Configure the interfaces. For information about how to configure interfaces, see the Sophos XG Firewall documentation.

Screen shot of Sophos XG firewall interfaces

  1. Select Configure > Routing > Gateways.
  2. Verify the gateway status is on (green).

Screen shot of Sophos XG routing settings

Policy Settings

  1. Select Configure > VPN> IPsec policies.
  2. In the IPsec policies section, click Add.
  3. In the Name text box, type the object name. In our example, the name is WG with Sophos.
  4. In the Phase 1 section, from the DH group drop-down list, select 14 (DH2048).
  5. Delete the other default DH groups.
  6. Keep the default value for all other settings.

Screen shot of Sophos XG IPSec policies

Screen shot of the Sophos XG IPSec policies

  1. Click Save.

Screen shot of the Sophos XG IPSec policy list

IPsec VPN Connection Settings

  1. Select System > Hosts and services >IP host.
  2. Click Add.

Screen shot of the Sophos XG IP host list

  1. In the Name text box, type the object name. In our example, the name is Sophos_lan.
  2. For Type, select Network.
  3. In the IP address text box, type the IP segment.
  4. Keep the default values for all other settings.

Screen shot of the Sophos XG IP host settings

  1. Click Save.
  2. Repeat steps 1–7 to create another IP segment.

Screen shot of the Sophos XG IP host list

  1. Select Configure > VPN > IPsec connections.
  2. Click Add.
  3. In the General settings section, type a object name in the Name text box. In our example, the name is wg_connection.
  4. From the Gateway type drop-down list, select Initiate the connection.
  5. Select Activate on save.
  6. Keep the default values for all other General settings.
  7. In the Encryption section, from the Policy drop-down list, select WG with Sophos.
  8. From the Authentication type drop-down list, select Preshared key.
  9. In the Preshared Key text box, type the pre-shared key.
  10. In the Repeat preshared Key text box, type the pre-shared key again.

Screen shot of the Sophos XG IPSec connections

  1. In the Gateway settings section, from the Local ID type drop-down list, select IP address.
  2. In the Local ID text box, type the Local ID address.
  3. From the Local subnet drop-down list, select Sophos_lan.
  4. In the Gateway address text box, type the Gateway address.
  5. From the Remote ID type drop-down list, select IP address.
  6. In the Remote ID text box, type the Remote ID address.
  7. From the Remote subnet drop-down list, select WG_lan.
  8. Keep the default value for all other settings.

Screen shot of the Sophos XG IPSec connections

  1. Click Save.
  2. Click OK.
    The IPSec connection list appears.

Screen shot of the Sophos XG preshared key message

Screen shot of the Sophos XG IPSec connections

Test the Integration

To test the integration:

  1. From the Firebox, select System Status > VPN Statistics and verify that the VPN tunnel is active.
  2. From the Sophos XG firewall, verify the VPN connection is active.
  3. Verify that Host1 (behind the Firebox) and Host2 (behind the Sophos XG firewall) can ping each other.