Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 459 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S between Azure SFOS and FritzBox

Bob The Rock

Hi folks,

I was able to establish a connection to the firewall on Azure by reading https://community.sophos.com/sophos-xg-firewall/f/discussions/127264/vpn---site-to-site-sophos-xg-v18x---fritzbox-v7-2x. Great, works... the next step is to use the firewall in Azure as default gateway, so establish a VPN full tunnel and send all network traffic through VPN. Any suggestions? Cant find any information regarding the cfg file to change. Maybe I read over that.

Cheers,

Bob



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Assuming you want to route FritzBox network internet traffic from XG firewall over the IPsec VPN.

    In order to do that you need to change below parameters in IPsec tunnel.

    ==> At FritzBox, define phase2remoteid as below.

    phase2remoteid {
    ipnet {
    ipaddr = 0.0.0.0;
    mask = 0.0.0.0;
    }

    ==> At XG, define local subnet as 0.0.0.0/0. Also, add VPN to WAN firewall rule for FritzBox network.

  • 0 in reply to FormerMember

    Hi Yash,

    thank you for your quick reply. Didnt work, SFOS 18.5.1, can't add network object, error message:

    You cannot enter an unspecified IP for IP address.

    In addition, I don't want to route traffic from behind the Azure Firewall to my FritzLan, I want every client in the FritzLan to use the VPN as default gateway, so full tunnel to Azure Firewall.

    Cheers,

    Bob

    EDIT: I filled object "any" to local subnet on SFOS and the connection seems to be established... but no traffic goes through the tunnel.

    EDIT2: Tried an any rule on SFOS, traffic counter still 0. Tunnel green but no traffic. May the Fritzbox is not sending traffic through the tunnel?

  • +1

    Ok, one step further... activated NAT-T in vpncfg.cfg:

    use_nat_t = yes;

    Now all traffic behind Fritzbox is transfered over the VPN and can be seen on Sophos Firewall. But now I have a DNS issue... by adding e.g. 8.8.8.8 into my local machine all works, by receiving the DNS from the Fritzbox = no internet...

    EDIT: By adding 8.8.8.8 as DNS in DHCP to the Fritzbox all works fine. Seems to be some issue on the Azure Firewall regarding DNS requests from Fritzbox Subnet.

    EDIT2: Found the error. DNS device access check box over VPN was missing (under Administration --> Device Access --> VPN Zone). Now all is working fine. Here for your own purpose the complete vpncfg.cfg for the Fritzbox:

    vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "<name it as you like>"; <-- A COOL NAME
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = x.x.x.x;				<-- ENTER REMOTE GATEWAY WAN IP
remote_virtualip = 0.0.0.0;
localid {
ipaddr = x.x.x.x;				<-- ENTER LOCAL GATEWAY WAN IP
}
remoteid {
ipaddr = x.x.x.x;				<-- ENTER REMOTE GATEWAY WAN IP
}
mode = phase1_mode_idp;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "<very crazy password>";	<-- IMPORTANT
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = x.x.x.x;				<-- LOCAL SUBNET OF FRITZBOX (e.g. 172.16.16.0)
mask = x.x.x.x;					<-- LOCAL SUBNETMASK OF FRITZBOX (e.g. 255.255.255.0)
}
}
phase2remoteid {
ipnet {
ipaddr = 0.0.0.0;
mask = 0.0.0.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 0.0.0.0 0.0.0.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
"udp 0.0.0.0:4500 0.0.0.0:4500";
}