Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 23021 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-site connection between Sophos XG and FritzBox: No Ping

JelkoSeiboth

After lots of try and error, I finally got the connection between a FritzBox 6842 LTE and a Sophos XG Firewall running. Each device tells me that the connection is established and shows the right information about the local and the remote network.

Neither executing the ping command form the XG Firewall nor trying a traceroute do work.

In the /log/ipsec.log file the following error occurs during the connection:

up-client output: route: netmask and route address conflict


I am sure the network adresses are configured right.

What could be the problem?



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

    I finally got it all running. I just waited for the update to XG v17 and found a stable solution for this (rather undocumented) problem.

    So anybody for who might has the same problems with a FritzBox (6842 LTE, but it should also work on others) behind a carrier-grade NAT, I want to share my solution/settings.

    This is the config-file for the FritzBox:

    vpncfg {
            connections {
                    enabled = yes;
                    conn_type = conntype_lan;
                    name = "Sophos_IPSEC_ikev1_Mainmode";
                    always_renew = yes;
                    reject_not_encrypted = no;
                    dont_filter_netbios = yes;
                    localip = 0.0.0.0;
                    local_virtualip = 0.0.0.0;
                    remoteip = 12.34.45.56; // Change to Sophos External IP
                    remote_virtualip = 0.0.0.0;
                    localid {
                            fqdn = "my.fqdn.net"; // Change
                    }
                    remoteid {
                            ipaddr = "12.34.45.78"; // Change
                    }
                    mode = phase1_mode_idp; // Main Mode
                    phase1ss = "dh14/aes/sha";
                    keytype = connkeytype_pre_shared;
                    key = "xxx"; // has to be changed
                    cert_do_server_auth = no;
                    use_nat_t = yes;
                    use_xauth = no;
                    use_cfgmode = no;
                    phase2localid {
                            ipnet {
                                    ipaddr = 192.168.23.45; // change
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2remoteid {
                            ipnet {
                                    ipaddr = 192.168.45.67; // change
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
                    accesslist = "permit ip any 192.168.45.67 255.255.255.0"; // change IP
            }
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                                "udp 0.0.0.0:4500 0.0.0.0:4500";
    }


    // EOF

    Sophos XG:

    I will not add a picture of the general IPSec VPN settings on this point because it is trivial. You just have to enter the appropriate values for the IDs, select Site-to-Site as Connection Type and choose the right policy. The policy settings are a bit more tricky, so here is a picture of them:

    As you can see, the authentication method (SHA1) is marked as insecure. Unfortunately AVM does not offer any better method for this, but it works.

    There are two blog posts by Johannes Weber that helped me a lot (in German):

    https://blog.webernetz.net/fritzos-ab-06-23-ipsec-p2-proposals-erweitert/

    https://blog.webernetz.net/ipsec-site-to-site-vpn-fortigate-fritzbox/

     

    Best regards,

    Jelko

Reply
  • +1

    Hi,

    I finally got it all running. I just waited for the update to XG v17 and found a stable solution for this (rather undocumented) problem.

    So anybody for who might has the same problems with a FritzBox (6842 LTE, but it should also work on others) behind a carrier-grade NAT, I want to share my solution/settings.

    This is the config-file for the FritzBox:

    vpncfg {
            connections {
                    enabled = yes;
                    conn_type = conntype_lan;
                    name = "Sophos_IPSEC_ikev1_Mainmode";
                    always_renew = yes;
                    reject_not_encrypted = no;
                    dont_filter_netbios = yes;
                    localip = 0.0.0.0;
                    local_virtualip = 0.0.0.0;
                    remoteip = 12.34.45.56; // Change to Sophos External IP
                    remote_virtualip = 0.0.0.0;
                    localid {
                            fqdn = "my.fqdn.net"; // Change
                    }
                    remoteid {
                            ipaddr = "12.34.45.78"; // Change
                    }
                    mode = phase1_mode_idp; // Main Mode
                    phase1ss = "dh14/aes/sha";
                    keytype = connkeytype_pre_shared;
                    key = "xxx"; // has to be changed
                    cert_do_server_auth = no;
                    use_nat_t = yes;
                    use_xauth = no;
                    use_cfgmode = no;
                    phase2localid {
                            ipnet {
                                    ipaddr = 192.168.23.45; // change
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2remoteid {
                            ipnet {
                                    ipaddr = 192.168.45.67; // change
                                    mask = 255.255.255.0;
                            }
                    }
                    phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
                    accesslist = "permit ip any 192.168.45.67 255.255.255.0"; // change IP
            }
            ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
                                "udp 0.0.0.0:4500 0.0.0.0:4500";
    }


    // EOF

    Sophos XG:

    I will not add a picture of the general IPSec VPN settings on this point because it is trivial. You just have to enter the appropriate values for the IDs, select Site-to-Site as Connection Type and choose the right policy. The policy settings are a bit more tricky, so here is a picture of them:

    As you can see, the authentication method (SHA1) is marked as insecure. Unfortunately AVM does not offer any better method for this, but it works.

    There are two blog posts by Johannes Weber that helped me a lot (in German):

    https://blog.webernetz.net/fritzos-ab-06-23-ipsec-p2-proposals-erweitert/

    https://blog.webernetz.net/ipsec-site-to-site-vpn-fortigate-fritzbox/

     

    Best regards,

    Jelko

Children
No Data