Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎12-27-2023 10:27 AM Edited on ‎12-28-2023 10:43 AM By Moderator

Article Id 291023

Technical Tip: Set up IPsec VPN between FortiGate and Sophos XG using IKEv2

Description This article describes how to set up an IPsec VPN between FortiGate and Sophos XG using IKEv2.
Scope FortiGate, IPsec VPN.
Solution

Network Diagram.

 

diagram.PNG

 

Configuration:

 

FortiGate.

 

Create IPsec phases and tunnels.

  • Go to VPN -> IPsec tunnels and select Create New.

ipsec.PNG

 

  • Under VPN Setup, enter a Name.
  • Set the Template Type to Custom.

 

ipsec2.PNG

 

  • Click Next.
  • Under Network, set IP Version to IPv4.
  • Set Remote Gateway to Static IP Address.
  • For IP Address, enter the WAN IP address of the Sophos Firewall (for example: 10.55.3.1).
  • Set NAT Transversal to Disable (It can be enabled, but it must be the same on the other side.) and Dead Peer Detection to On Demand.
  • Under Authentication, set Method to Pre-shared Key.
  • Enter the Pre-shared Key.
  • In IKE, set Version to 2.
  • Under Peer Options, set Accept Types to Any peer ID.

 

ipsec3.png

 

Configure Phase 1 Parameters

  • Set Encryption to AES256 and Authentication to SHA512.
  • Click Add and set Encryption to AES256 and Authentication to SHA384.
  • For Diffie-Helman Groups, select 16, 19 and 21.
  • For Key Lifetime, enter 5400 seconds.

ipsec4.PNG

 

Configure Phase 2 Parameters:

 

• Under Phase 2 Selectors, enter a Name.
• Set Local Address to Subnet and enter the LAN IP address of Fortigate appliance. (For example: 192.168.50.0/24).
• Set Remote Address to Subnet and enter the LAN IP address of XG Firewall. (For example: 192.168.62.0/24).
• Expand the Advanced section.
• Under Phase 2 Proposal, set Encryption to AES256 and Authentication to SHA512.
• Select Add and set Encryption to AES256 and Authentication to SHA384.
• Select Enable Replay Detection and Enable Perfect Forward Secrecy (PFS).
• For Diffie-Hellman Group, select 16, 19 and 21.
• For Local Port, Remote Port and Protocol, select All.
• Select Auto-negotiate.
• Set Key Lifetime to Seconds and enter 3600 in Seconds.

 

ipsec5.png

 

Select OK.

 

Create a Static Route for the VPN Tunnel.

 

Go to Network -> Static Routes and select Create New.

 

static.png

 

• For Destination, select Subnet and enter the LAN IP address of the XG Firewall. (For example: 192.168.50.0/24.)
• Set Device to the IPsec tunnel created previously. (For example: Forti-SFIKEv2.)
• For Administrative Distance, enter 10.
• Set Status to Enabled.

 

static2.png

 

Select OK.

 

Create Firewall Rules.

 

  • Go to Policy & Objects -> IPv4 Policy and select Create New.

policy.PNG

 

  • Enter a Name.
  • Set Incoming Interface to the LAN interface of Fortigate appliance. (Example: Forti-SFIKEv2.)
  • Set Outgoing Interface to the IPsec tunnel you have created. (Example: vlan680 (port1).)
  • For Source, Destination and Service, select all.
  • Set Schedule to always.

ipsec7.PNG

 

  • Similarly, create another firewall policy for traffic from XG Firewall to the FortiGate appliance.

 

ipsec8.PNG

 

Note: Turn off NAT if NAT-T will not be used in the VPN Profile.

Select OK.


ipsec9.PNG

 

Sophos XG Firewall.

 

Create an IPsec Connection.


• Go to Configure -> VPN -> IPsec Connections and select Add.
• Under General Settings, enter a Name.
• Set IP Version to IPv4, Connection Type to Site-to-Site and Gateway Type to Respond Only.
• Select Activate on Save.

 

sophos.PNG

 

  • Under Encryption, set Policy to IKEv2.
  • Set Authentication Type to Preshared Key, enter the Preshared Key and Repeat Preshared Key.

sophos2.PNG

 

  • Under Gateway Settings - Local Gateway, set Listening Interface to the WAN IP address of XG Firewall (for example: PortE1.690 - 10.55.3.1), and set Local Subnet to LAN.
  • Under Gateway Settings - Remote Gateway, set Gateway Address to the WAN IP address of FortiGate appliance (for example: 10.55.4.1), and set Remote Subnet to Forti_LAN.

 

sophos3.PNG

 

  • Under Advanced, set User Authentication Mode to None.

 

sophos4.PNG

 

Create a Firewall Rule

  • Go to Protect -> Firewall and click Add Firewall Rule.
  • Enter a Rule Name.
  • For Sources Zones, select LAN. For Destination Zones, select VPN.
  • Under Identity, clear the Match known users check box.

sophos5.PNG

 

  • Similarly, create a firewall rule for VPN to LAN traffic.

 

sophos6.PNG

 

  • Select Log Firewall Traffic.

sophos7.PNG

 

Select Save.

 

Enable IPsec Connection.

  • Go to Configure > VPN > IPsec Connections.
  • Under Status, select Active and Connection to activate the connection.

sophos8.PNG

 

Verify VPN status on FortiGate.

  • Go to Monitor -> IPsec Monitor.

 

monitor.PNG

 

Tunnel details are displayed. If the status is Down, select the tunnel and select Bring Up to initiate the tunnel.

 

monitor2.png
11864
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.