Fortinet Sophos

Posted on  by 



1. The purpose of the article

Re: FortiGate and Sophos IPSec VPN configuration 2017/09/17 23:24:42 0 You need to create a policy where the VPN interface is mentioned either as source or as destination interface: ike 0:VPNCVACVB: ignoring IKE request, no policy configured Otherwise the FortiGate doesn't establish a tunnel, because with no policy for it - there is no reason. The best CRM channel partners (resellers, VARs, consultants, affiliates, etc.) looking to partner with CRM vendors. Fortinet and Sophos We're implementing a new pair of Fortigate 400E devices and have run into a minor issue with Sophos. We run Citrix, and Sophos' Real-time Internet scanning causes issues with the FSSO TS Agent. Sophos changes source ports on traffic, and the TS Agent uses port allocations to identify users.

This article will guide how to configure IPSec VPN Site-to-Site between two firewall devices Sophos XG and Fortinet FG.

2. Diagram

Fortigate soho

Details:

Site A:

  • We have an internet connection that is connected to port 5 of Sophos XG 85 devices with a static WAN IP of 203.205.26.x using a media converter.
  • Next is the LAN network 172.16.0.0/20 configured at port 1 of Sophos XG 85 devices.

Site B:

  • We have an internet connection that is connected to port WAN1 of Fortinet FG 81E devices with a static WAN IP of 203.205.35.x using a media converter.
  • Next is the LAN network 192.168.1.0/24 configured at port 1 of Fortinet FG 81E devices.

3. Tình huống cấu hình

We will configure IPSec VPN Site-to-Site between Sophos XG 85 and Fortinet FG 81E devices so that the LAN network of both sites is 172.16.0.0/20 and 192.168.1.0/24 can be connected to together.

4. What to do

Fortinet FG 81E:

  • Create VPN Tunnels
  • Create Static Route
  • Create Policy

Sophos XG 85:

  • Create subnet
  • Create IPSec Policies
  • Create IPSec Connection

Result

5. Configuration

5.1. Fortinet FG 81E

Fortinet Sophos Security

5.1.1. Create VPN Tunnels

To create VPN Tunnels go to VPN > IPSec Tunnels > click Create New.

The VPN Create Wizard panel appears and enter the following configuration information:

  • Name: VPN_FG_2SOPHOS
  • Template type: select Custom.
  • Click Next

We will configure the Network table with the following parameters:

  • IP Version: IPv4
  • Remote Gateway: Static IP Address
  • IP Address: enter IP WAN of Sophos XG 85 device 203.205.26.x
  • Interface: select the WAN port of the Fortinet device used to establish the VPN connection. According to the diagram choose WAN1 port
  • Local Gateway: turn off
  • Mode Config: uncheck
  • NAT Traversal: select Disable
  • Dead Peer Detection: select Disable

Authentication panel:

  • Method: select Pre-shared Key
  • Pre-shared Key: enter the password to establish the VPN connection (note that this password must be set the same on both Sophos and Fortinet devices).
  • IKE Version: 1
  • IKE Mode: Main(ID protection)

Phrase 1 Proposal panel:

  • Encryption: AES256
  • Authentication: SHA256
  • Diffe-Hellman Group: select 14
  • Key Liftime (second): 5400

Bảng XAUTH:

  • Type: select Disable

Phrase 2 Selectors panel:

  • Local Address: Select Subnet and enter LAN network 192.168.1.0/24 of Fortinet.
  • Remote Address: Select Subnet enter LAN network 172.16.0.0/20 of Sophos.
  • Click Advanced… to show Phrase 2 Proposal.

Phrase 2 Proposal panel:

  • Encryption: AES128
  • Authentication: SHA256
  • Enable Perfect Forward Secrecy: uncheck
  • Key Lifetime: select Seconds
  • Second: 3600

Click OK to create IPSec Tunnels.

5.1.2. Create Static Routes

We need to create a static route to route the outbound Sophos LAN layer through the VPN connection we just created to the Fortinet firewall device.

To create go to Network > Static Routes and click Create New.

Configure according to the following parameters:

  • Destination: Enter the LAN network of the Sophos XG 85 device as 172.16.0.0/24.
  • Interface: select IPSec tunnels VPN_FG_2_SOPHOS just created.
  • Status: select Enable.
  • Click OK to Save.

5.1.3. Create Policy

We need to create a policy so that the VPN connection can access Fortinet’s LAN and vice versa.

To create the policy go to Policy & Objects> IPv4 Policy and click Create New.

Configure the policy to allow traffic from Fortinet’s LAN network to pass through Sophos’s LAN network according to the following parameters:

  • Name: VPN_FG_2_SOPHOS
  • Incoming Interface: VLAN-KH(it is interface LAN 1)
  • Outgoing Interface: Select VPN Tunnels VPN_FG_2_SOPHOS just created
  • Source: Select VLAN-KH address
  • Destination: Select VLAN_Sophos
  • Service: Select ALL
  • Action: Select ACCEPT
  • Log Allowed Traffic: Turn on and select All Session
  • Enable this policy: ON
  • Click OK to save

Configure the policy to allow traffic from Sophos’ LAN layer to pass through Fortinet’s LAN layer according to the following parameters:

  • Name: VPN_SOPHOS_2_FG
  • Incoming Interface: Select VPN Tunnels VPN_FG_2_SOPHOS just created
  • Outgoing Interface: VLAN-KH(it is interface LAN 1)
  • Source: Select VLAN_Sophos
  • Destination: Select VLAN-KH address
  • Service: Select ALL
  • Action: Select ACCEPT
  • Log Allowed Traffic: Turn on and select All Session
  • Enable this policy: ON
  • Click OK to save

5.2 Sophos XG 85

5.2.1. Create subnet

We will create a subnet for Sophos’s 172.16.0.0/24 LAN network and Fortinet’s 192.168.1.0/24 LAN network.

To create Hosts and services click Add and create following information.

Subnet Sophos:

  • Name: LAN_Q9DQH_HEAD
  • IP Version: IPv4
  • Type: Network
  • IP address: 172.16.0.0 – Subnet: 255.255.240.0
  • Click Save

Subnet Fortinet:

  • Name: LAN_KH_FG
  • IP Version: IPv4
  • Type: Network
  • IP address: 192.168.1.0 – Subnet: 255.255.255.0
  • Click Save

5.2.2. Create IPSec Policies

To create IPSec Policies go to VPN > IPSec policies and click Add.

Configure according to the following parameters.

General Settings panel:

  • Name: VPN_SOPHOS_2_FG
  • Key exchange: IKEv1
  • Authentication mode: Main mode

Phrase 1 panel:

  • Key life: 5400
  • Re-key margin: 360
  • Randomize re-keying margin by: 50
  • DH group (key group): 14 (DH2048)
  • Enccryption: AES256
  • Authentication: SHA2 256

Phrase 2 panel:

  • PFS group (DH group): None
  • Key life: 3600
  • Encryption: AES128
  • Authentication: SHA2 256

Dead Peer Detection panel:

  • Dead Peer Detection: check
  • Check peer after every: 30
  • Wait for response up to: 120
  • When peer unreachable: Re-initiate

Click Save.

5.2.3. Create IPSec Connection

To create go to VPN > IPSec Connection and click Add.

Configure according to the following parameters.

General settings panel:

  • Name: VPN_SOPHOS_2_FG
  • IP version: IPv4
  • Connection type: Site-to-site
  • Gateway type: Initiate the connection
  • Check Create firewall rule

Encryption panel:

  • Policy: select VPN_SOPHOS_2_FG
  • Authentication type: select Preshared key
  • Preshared key: enter the VPN connection password (note it must be the same as the Fortinet device side)
  • Repeat preshared key: re-enter the connection password

Gateway settings panel:

  • Listening interface: select Port5-203.205.26.x
  • Local Subnet: select subnet LAN_Q9DQH_Head just created.
  • Gateway address: enter IP WAN of Fortinet 203.205.35.x
  • Remote subnet: select subnet LAN_KH_FG

Click Save

Sophos Vs Sonicwall

5.3 Result

Going back to IPSec Connection we will see that the VPN Connection that we just created is not enabled yet.

Click the dot in the Active column and click OK to turn on the VPN connection, at this point the color of the dot will turn green.

You wait for 2 to 3 seconds, the round dot in the Connection column will turn green, meaning the VPN connection between Sophos and Fortinet device has been successfully.

Switching to Fortinet device, you can check whether the VPN connection is successful or not by going to Monitor > IPSec Monitor.

You should see that the VPN connection has been established and that the Incoming Data and Outgoing Data traffic is available.

Fortinet Soho

YOU MAY ALSO INTEREST

Fortinet this week filed a lawsuit against rival Sophos for allegedly poaching Fortinet employees, a claim that Sophos CEO Kris Hagerman called 'baseless.'

The lawsuit, filed in federal court in San Jose, Calif., accuses Sophos and Michael Valentine, senior vice president of worldwide sales at Sophos and a former Fortinet executive, of soliciting and inducing numerous Fortinet employees to defect to Sophos. Those employees include Kendra Krause, who left Fortinet in April to become vice president of North American channel sales at Sophos, as well as several other channel executives and senior managers.

Valentine spent nearly six years at Fortinet, most recently serving as vice president of Americas sales and support, before joining Sophos in February. The lawsuit claims Sophos and Valentine violated 'Valentines contractual and other lawful duties to Fortinet' by recruiting other Fortinet executives to follow him to Sophos.

[Related: Jumping Ship: 10 Channel Execs Who Swam To The Competition]

The complaint also claims that four other ex-Fortinet executives who joined Sophos also tried to solicit additional Fortinet employees to join Sophos, though only Valentine is named as a defendant in the lawsuit.

Hagerman denied the allegations and told CRN that Valentine and all Sophos employees acted appropriately. 'It's a baseless lawsuit and we all know it,' Hagerman said. 'This is not Fortinet at their best. They should be focused on winning in the market and not in the courtroom.'

Fortinet declined to comment.

In addition to the breach of contract and contract interference allegations, the complaint includes three patent infringement claims. Fortinet is seeking a jury trial for unspecified damages.

The two security companies have been locked in a fierce competition in the unified threat management (UTM) space. Hagerman said Fortinet is taking legal action to try to stop Sophos' momentum in the market.

Fortinet Sophos Download

'Mike Valentine joined Sophos almost a year ago. Why is this lawsuit happening now?' Hagerman asked. 'I think it's obvious. We have the momentum right now.'Gil Buthlay, president of BEK, Inc., a Fortinet partner based in Brunswick, Maine, questioned the lawsuit. 'Why did so many Fortinet employees leave the company?' he said. 'That's the big question.'

Fortinet Sophos Free

Hagerman said Fortinet's lawsuit won't be a disruption for Sophos and its channel team. 'It won't be a distraction for us,' he said. 'Quite the opposite -- we'll be even more focused. It's provided more visibility and attention about our momentum, and now people are asking why so many folks are joining Sophos, which is great for us.

PUBLISHED DEC. 20, 2013





Coments are closed