S2S between Azure SFOS and FritzBox

Question

Hi folks, 
 I was able to establish a connection to the firewall on Azure by reading https://community.sophos.com/sophos-xg-firewall/f/discussions/127264/vpn---site-to-site-sophos-xg-v18x---fritzbox-v7-2x . Great, works... the next step is to use the firewall in Azure as default gateway, so establish a VPN full tunnel and send all network traffic through VPN. Any suggestions? Cant find any information regarding the cfg file to change. Maybe I read over that. 
 Cheers, 
 Bob

Bob The Rock · Accepted Answer

Ok, one step further... activated NAT-T in vpncfg.cfg: use_nat_t = yes; Now all traffic behind Fritzbox is transfered over the VPN and can be seen on Sophos Firewall. But now I have a DNS issue... by adding e.g. 8.8.8.8 into my local machine all works, by receiving the DNS from the Fritzbox = no internet... EDIT: By adding 8.8.8.8 as DNS in DHCP to the Fritzbox all works fine. Seems to be some issue on the Azure Firewall regarding DNS requests from Fritzbox Subnet. EDIT2: Found the error. DNS device access check box over VPN was missing (under Administration --> Device Access --> VPN Zone). Now all is working fine. Here for your own purpose the complete vpncfg.cfg for the Fritzbox: vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = ""; <-- A COOL NAME always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = x.x.x.x; <-- ENTER REMOTE GATEWAY WAN IP remote_virtualip = 0.0.0.0; localid { ipaddr = x.x.x.x; <-- ENTER LOCAL GATEWAY WAN IP } remoteid { ipaddr = x.x.x.x; <-- ENTER REMOTE GATEWAY WAN IP } mode = phase1_mode_idp; phase1ss = "dh14/aes/sha"; keytype = connkeytype_pre_shared; key = ""; <-- IMPORTANT cert_do_server_auth = no; use_nat_t = yes; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = x.x.x.x; <-- LOCAL SUBNET OF FRITZBOX (e.g. 172.16.16.0) mask = x.x.x.x; <-- LOCAL SUBNETMASK OF FRITZBOX (e.g. 255.255.255.0) } } phase2remoteid { ipnet { ipaddr = 0.0.0.0; mask = 0.0.0.0; } } phase2ss = "esp-all-all/ah-none/comp-all/pfs"; accesslist = "permit ip any 0.0.0.0 0.0.0.0"; } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; }

FormerMember · Answer

Hi Bob The Rock , 
 Thank you for reaching out to Sophos Community. 
 Assuming you want to route FritzBox network internet traffic from XG firewall over the IPsec VPN. 
 In order to do that you need to change below parameters in IPsec tunnel. 
 ==> At FritzBox, define phase2remoteid as below. 
 phase2remoteid { ipnet { ipaddr = 0.0.0.0; mask = 0.0.0.0; } 
 ==> At XG, define local subnet as 0.0.0.0/0. Also, add VPN to WAN firewall rule for FritzBox network.

S2S between Azure SFOS and FritzBox

Top Replies