Sophos XG Firewall BOVPN Virtual Interface Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This integration guide describes how to configure a BOVPN Virtual Interface tunnel between a WatchGuard Firebox and a Sophos XG Firewall.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox
    • Fireware v12.9.2
  • Sophos XG Firewall SFVUNL
    • SFOS 19.5.1 MR-1

Topology

This diagram shows the topology for a BOVPN virtual interface connection between a Firebox and a Sophos XG Firewall.

Screenshot of the topology diagram

Configure the Firebox

On the Firebox, configure a BOVPN Virtual Interface connection, from Fireware Web UI:

  1. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  2. Click Add.
  3. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  4. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  5. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screenshot of Firebox, Firebox_BVT_001

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the Physical drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In the adjacent text box, type the primary IP address of the External Firebox interface.

Screenshot of Firebox, Firebox_BVT_002

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Sophos XG Firewall WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Sophos XG Firewall WAN connection.

Screenshot of Firebox, Firebox_BVT_003

  1. Click OK.
  2. In the Gateway Endpoint section, select Start Phase 1 tunnel when it is inactive.
  3. Select Add this tunnel to the BOVPN-Allow policies.

Screenshot of Firebox, Firebox_BVT_004

  1. Select the VPN Routes tab.
  2. Click Add.
  3. From the Choose Type drop-down list, select Network IPv4.
  4. In the Route To text box, type the network IP address of a route for this virtual interface.

Screenshot of Firebox, Firebox_BVT_005

  1. Click OK.
  2. Select the Assign virtual interface IP addresses (required for dynamic routing) check box.
  3. In the Local IP address and Peer IP address or netmask text boxes, type the virtual interface IP addresses.

Screenshot of Firebox, Firebox_BVT_006

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screenshot of Firebox, Firebox_BVT_007

  1. Keep Phase 2 Settings as the default values.

Screenshot of Firebox, Firebox_BVT_008

  1. Click Save.

For more information about BOVPN virtual interface configuration on the Firebox, go to BOVPN Virtual Interfaces.

Configure the Sophos XG Firewall

From the Sophos XG Firewall Web UI, configure the Sophos XG firewall.

Basic Settings

  1. Log in to the Sophos XG Firewall Web UI at https://<IP address of Sophos>. The default IP address is 172.16.16.16:4444.
  2. Configure the interfaces. For information about how to configure interfaces, go to the Sophos XG Firewall documentation. Our example uses 192.168.13.3 for the IPv4 address of PortA.

Screenshot of Sophos, Sophos_001

  1. Select Configure > Routing > Gateways.
  2. Verify the gateway status is on (green).

Screenshot of Sophos, Sophos_002

Configure IP Hosts

From the Sophos XG Firewall Web UI, configure IP hosts:

  1. Select System > Hosts and services > IP host.
  2. Click Add.
  3. In the Name text box, type the object name. In our example, the name is Sophos_lan.
  4. For Type, select Network.
  5. In the IP address text box, type the IP segment.
  6. Keep all other settings as the default values.

Screenshot of Sophos, Sophos_003

  1. Click Save.
  2. Repeat steps 1–7 to create another IP segment.

Screenshot of Sophos, Sophos_004

Add IPSec Profiles

From the Sophos XG Firewall Web UI, add IPSec profiles:

  1. Select System > Profiles > IPsec profiles.
  2. Click Add.
  3. In the Name text box, type the object name. In our example, the name is BOVPN_Virtual_Interface_IKEv2.
  4. For Key exchange, select IKEv2.
  5. Select the Re-key connection check box.
  6. In the Phase 1 section, from the DH group (key group) drop-down list, select 14 (DH2048).
  7. Delete the other default DH groups.
  8. In the Phase 2 section, from the PFS group (DH group) drop-down list, select 14 (DH2048).
  9. Keep the default values for all other settings.

Screenshot of Sophos, Sophos_005

Screenshot of Sophos, Sophos_006

  1. Click Save.

Screenshot of Sophos, Sophos_007

IPSec VPN Connection Settings

From the Sophos XG Firewall Web UI, configure IPSec VPN connection settings:

  1. Select Configure > Site-to-site VPN > IPsec.
  2. In the IPsec connections section, click Add.
  3. In the General settings section, type an object name in the Name text box. In our example, the name is wg_connection.
  4. From the Connection type drop-down list, select Tunnel interface.
  5. For IP version, select IPv4 or Dual.
  6. From the Gateway type drop-down list, select Initiate the connection.
  7. Select Activate on save.
  8. In the Encryption section, from the Profile drop-down list, select BOVPN_Virtual_Interface_IKEv2.
  9. From the Authentication type drop-down list, select Preshared key.
  10. In the Preshared key text box, type the pre-shared key.
  11. In the Repeat preshared key text box, type the pre-shared key again.
  12. In the Gateway settings section, from the Listening interface drop-down list, select PortB - 198.51.100.2.
  13. In the Gateway address text box, type the WAN IP address of Firebox.
  14. Leave the default values for all other settings.

Screenshot of Sophos, Sophos_008

  1. Click Save.
  2. Click OK.

Edit the XFRM Interface

From the Sophos XG Firewall Web UI, edit the XFRM Interface:

  1. Select Configure > Network > Interfaces.
  2. Expand the WAN interface (PortB in our example).
  3. Select and click the xfrm interface. In our example, the xfrm interface name is xfrm1.

Screenshot of Sophos, Sophos_009

  1. In the IPv4/netmask text box, type the xfrm IP address.

Screenshot of Sophos, Sophos_010

  1. Click Save.
  2. Click Update interface.

Configure a Static Route

From the Sophos XG Firewall Web UI, configure a static route:

  1. Select Configure > Routing > Static routes.
  2. In the IPv4 unicast route section, click Add.
  3. In the Destination IP / Netmask text box, type the destination IP address.
  4. From the Interface drop-down list, select xfrm1-10.0.11.10.

Screenshot of Sophos, Sophos_011

  1. Click Save.

Configure Firewall Rules

From the Sophos XG Firewall Web UI, configure firewall rules:

  1. Select Protect > Rules and Policies > Firewall rules > IPv4.
  2. Click Add firewall rule > New firewall rule.
  3. In the Rule name text box, type a rule name. In our example, the name is Rule1.
  4. Select the Log firewall traffic check box.
  5. In the Source zones section, click Add new item and select VPN.
  6. In the Source networks and devices section, click Add new item and select WG_lan.
  7. In the Destination zones section, click Add new item and select LAN.
  8. In the Destination networks section, click Add new item and select Sophos_lan.
  9. Keep the default values for all other settings.

Screenshot of Sophos, Sophos_012

  1. Click Save.
  2. Repeat steps 1–10 to create another firewall rule.

Screenshot of Sophos, Sophos_013

Test the Integration

From Fireware Web UI, test the integration:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab and verify the VPN is established.

Screenshot of Firebox, Test_BOVPN-Virtual-Interface

  1. Verify that Host1 (behind the Firebox) and Host2 (behind the Sophos XG Firewall) can ping each other.