Site-to-site connection between Sophos XG and FritzBox: No Ping

Question

After lots of try and error, I finally got the connection between a FritzBox 6842 LTE and a Sophos XG Firewall running. Each device tells me that the connection is established and shows the right information about the local and the remote network. 
 Neither executing the ping command form the XG Firewall nor trying a traceroute do work. 
 In the /log/ipsec.log file the following error occurs during the connection: 
 up-client output: route: netmask and route address conflict 
 I am sure the network adresses are configured right. 
 What could be the problem?

JelkoSeiboth · Answer

Hi, 
 I finally got it all running. I just waited for the update to XG v17 and found a stable solution for this (rather undocumented) problem. 
 So anybody for who might has the same problems with a FritzBox (6842 LTE, but it should also work on others) behind a carrier-grade NAT, I want to share my solution/settings. 
 This is the config-file for the FritzBox: 
 vpncfg { connections { enabled = yes; conn_type = conntype_lan; name = "Sophos_IPSEC_ikev1_Mainmode"; always_renew = yes; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 12.34.45.56; // Change to Sophos External IP remote_virtualip = 0.0.0.0; localid { fqdn = "my.fqdn.net"; // Change } remoteid { ipaddr = "12.34.45.78"; // Change } mode = phase1_mode_idp; // Main Mode phase1ss = "dh14/aes/sha"; keytype = connkeytype_pre_shared; key = "xxx"; // has to be changed cert_do_server_auth = no; use_nat_t = yes; use_xauth = no; use_cfgmode = no; phase2localid { ipnet { ipaddr = 192.168.23.45; // change mask = 255.255.255.0; } } phase2remoteid { ipnet { ipaddr = 192.168.45.67; // change mask = 255.255.255.0; } } phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs"; accesslist = "permit ip any 192.168.45.67 255.255.255.0"; // change IP } ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500", "udp 0.0.0.0:4500 0.0.0.0:4500"; } // EOF Sophos XG: I will not add a picture of the general IPSec VPN settings on this point because it is trivial. You just have to enter the appropriate values for the IDs, select Site-to-Site as Connection Type and choose the right policy. The policy settings are a bit more tricky, so here is a picture of them: 
 
 As you can see, the authentication method (SHA1) is marked as insecure. Unfortunately AVM does not offer any better method for this, but it works. 
 There are two blog posts by Johannes Weber that helped me a lot (in German): 
 https://blog.webernetz.net/fritzos-ab-06-23-ipsec-p2-proposals-erweitert/ 
 https://blog.webernetz.net/ipsec-site-to-site-vpn-fortigate-fritzbox/ 
 
 Best regards, 
 Jelko