Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 460 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S between Azure SFOS and FritzBox

Bob The Rock

Hi folks,

I was able to establish a connection to the firewall on Azure by reading https://community.sophos.com/sophos-xg-firewall/f/discussions/127264/vpn---site-to-site-sophos-xg-v18x---fritzbox-v7-2x. Great, works... the next step is to use the firewall in Azure as default gateway, so establish a VPN full tunnel and send all network traffic through VPN. Any suggestions? Cant find any information regarding the cfg file to change. Maybe I read over that.

Cheers,

Bob



This thread was automatically locked due to age.
Parents
  • +1

    Ok, one step further... activated NAT-T in vpncfg.cfg:

    use_nat_t = yes;

    Now all traffic behind Fritzbox is transfered over the VPN and can be seen on Sophos Firewall. But now I have a DNS issue... by adding e.g. 8.8.8.8 into my local machine all works, by receiving the DNS from the Fritzbox = no internet...

    EDIT: By adding 8.8.8.8 as DNS in DHCP to the Fritzbox all works fine. Seems to be some issue on the Azure Firewall regarding DNS requests from Fritzbox Subnet.

    EDIT2: Found the error. DNS device access check box over VPN was missing (under Administration --> Device Access --> VPN Zone). Now all is working fine. Here for your own purpose the complete vpncfg.cfg for the Fritzbox:

    vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "<name it as you like>"; <-- A COOL NAME
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = x.x.x.x;				<-- ENTER REMOTE GATEWAY WAN IP
remote_virtualip = 0.0.0.0;
localid {
ipaddr = x.x.x.x;				<-- ENTER LOCAL GATEWAY WAN IP
}
remoteid {
ipaddr = x.x.x.x;				<-- ENTER REMOTE GATEWAY WAN IP
}
mode = phase1_mode_idp;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "<very crazy password>";	<-- IMPORTANT
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = x.x.x.x;				<-- LOCAL SUBNET OF FRITZBOX (e.g. 172.16.16.0)
mask = x.x.x.x;					<-- LOCAL SUBNETMASK OF FRITZBOX (e.g. 255.255.255.0)
}
}
phase2remoteid {
ipnet {
ipaddr = 0.0.0.0;
mask = 0.0.0.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 0.0.0.0 0.0.0.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

Reply
  • +1

    Ok, one step further... activated NAT-T in vpncfg.cfg:

    use_nat_t = yes;

    Now all traffic behind Fritzbox is transfered over the VPN and can be seen on Sophos Firewall. But now I have a DNS issue... by adding e.g. 8.8.8.8 into my local machine all works, by receiving the DNS from the Fritzbox = no internet...

    EDIT: By adding 8.8.8.8 as DNS in DHCP to the Fritzbox all works fine. Seems to be some issue on the Azure Firewall regarding DNS requests from Fritzbox Subnet.

    EDIT2: Found the error. DNS device access check box over VPN was missing (under Administration --> Device Access --> VPN Zone). Now all is working fine. Here for your own purpose the complete vpncfg.cfg for the Fritzbox:

    vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "<name it as you like>"; <-- A COOL NAME
always_renew = no;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = x.x.x.x;				<-- ENTER REMOTE GATEWAY WAN IP
remote_virtualip = 0.0.0.0;
localid {
ipaddr = x.x.x.x;				<-- ENTER LOCAL GATEWAY WAN IP
}
remoteid {
ipaddr = x.x.x.x;				<-- ENTER REMOTE GATEWAY WAN IP
}
mode = phase1_mode_idp;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "<very crazy password>";	<-- IMPORTANT
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = x.x.x.x;				<-- LOCAL SUBNET OF FRITZBOX (e.g. 172.16.16.0)
mask = x.x.x.x;					<-- LOCAL SUBNETMASK OF FRITZBOX (e.g. 255.255.255.0)
}
}
phase2remoteid {
ipnet {
ipaddr = 0.0.0.0;
mask = 0.0.0.0;
}
}
phase2ss = "esp-all-all/ah-none/comp-all/pfs";
accesslist = "permit ip any 0.0.0.0 0.0.0.0";
}
ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", 
"udp 0.0.0.0:4500 0.0.0.0:4500";
}

Children
No Data