How to configure IPsec VPN between Fortinet and Sophos Firewall

 

Thank to: https://ictfella.com/

This post is to document the process to configure static IPsec VPN between Fortinet and Sophos Firewall.

Environment

  • 1x Fortinet Fortigate Firewall cluster running at active-passive mode
  • 1x Sophos UTM Firewall
  • Both sides have static public IP assigned
  • Phase 1 and Phase 2 use the same encryption (AES256) and authentication (SHA256) algorithm, Group 14 or Group 5 are selected for the Diffie-hellman process.

Configure Fortigate firewall

Go to “VPN” – “IPsec Wizard”, start the new VPN wizard, give it a sensible name and choose “Custom” as the template type


Give it a name, choose “static IP address” in Remote Gateway, put Site b public IP address in and choose your “WAN” port as the source interface


In the Authentication and Phase1 Proposal section, we have chosen

1. Pre-Shared Key
2. IKE V1
3. Main (ID protection) mode
4. AES256 for Encryption and SHA256 for Authentication
5. Diffie-Hellman Groups 14 and 5
6. Key lifetime: 86400 seconds
7. XAuth: disabled

In Phase 2 Selectors, we have defined the local and remote subnets, the same encryption and authentication for the phase2 proposal:


Add a new route to go to Site B subnet:




Add needed policy on both ways to allow the inter-site traffic, please make sure NAT is disabled for inter-site traffic


Sophos UTM Firewall

In the “Remote Gateway” tab, add a new remote gateway to march up the Fortigate firewall configuration


In the “Policies” tab, add a new IPsec Policy to match up the Fortigate firewall configuration


In the “Connection” tab, link the remote gateways and policies together, make sure the new IPsec connection is switched on.


Bring up the IPsec interface in the Fortigate firewall

Go to the “Dashboard” – “Network” -“IPsec” widget, you can see your IPsec interface status


If you want to manually bring up the IPsec interface, click into the widget and bring it up



Useful links

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/791718/ipsec-vpn-from-the-gui

Comentarios

Publicar un comentario

Dime si la información de este blog te sirvio.

Entradas populares de este blog

Configuración de Hairpin NAT (VIP)

Imagen
 Thank to: https://fortixpert.blogspot.com/ Este artículo describe cómo configurar FortiGate para Hairpin con el uso de set match-vip y match-vip-only. En este escenario, tanto el PC como el Servidor están detrás de FortiGate y el PC quiere conectarse al Servidor apuntando a su dirección externa (92.0.2.10) en lugar de la real (10.10.10.10). Esto se llama Hairpin NAT. Solución : La solución dependerá de cómo sea el objeto IP Virtual (VIP). Solución 1 : La interfaz externa en el VIP está configurada a una interfaz particular (en este caso a wan1) #config firewall vip     edit "VIP"         set extip 92.0.2.10         set extintf 'wan1'         set mappedip 10.10.10.10     next end Nota: En este escenario, la IP externa VIP puede ser la misma que la IP de la interfaz (es decir, 92.0.2.2) Se necesitan dos políticas: 1) Una política de entrada con ...
Leer más

Deshabilitar los métodos HTTP peligrosos como PUT, DELETE y TRACE en Nginx

Imagen
  🔧 Paso 1: Editar el archivo de configuración de Nginx Objetivo: Configurar el servidor Nginx para que rechace solicitudes HTTP que usen los métodos PUT, DELETE y TRACE, devolviendo un código de estado 405 (Method Not Allowed) . ¿Por qué hacerlo? Por razones de seguridad . Algunos métodos HTTP como PUT , DELETE y TRACE pueden representar riesgos si no son utilizados correctamente. Si tu aplicación no los necesita, es recomendable deshabilitarlos. Instrucciones: Abre el archivo de configuración de Nginx. Generalmente se encuentra en: /etc/nginx/nginx.conf O también puede estar dentro del directorio: /etc/nginx/sites-available/ dependiendo de cómo esté estructurada tu instalación. Busca la sección que tenga location / { ... } o agrégala dentro del bloque server { ... } . Dentro de ese bloque, agrega las siguientes condiciones: location / { if ($request_method = PUT) { return 405; } if ($request_method = DELETE) { return 405; } ...
Leer más

Redundant or Backup ISP Links Configuration Example

Imagen
Thanks to:  http://www.cisco.com Introduction A problem with static routes is that no inherent mechanism exists to determine if the route is up or down. The route remains in the routing table even if the next hop gateway becomes unavailable. Static routes are removed from the routing table only if the associated interface on the security appliance goes down. In order to solve this problem, a static route tracking feature is used to track the availability of a static route and, if that route fails, remove it from the routing table and replace it with a backup route. This document provides an example of how to use the static route tracking feature on the PIX 500 Series Security Appliance or the ASA 5500 Series Adaptive Security Appliance in order to enable the device to use redundant or backup Internet connections. In this example, static route tracking allows the security appliance to use an inexpensive connection to a secondary Internet service provider (ISP) in the event th...
Leer más