Sophos Firewall - Konfigurasi IPsec VPN Site-to-Site Antara Sophos dan Cyberoam Menggunakan Preshared Key

Network Diagram IPsec VPN Site-to-Site Antara Sophos dan Cyberoam - ITSTAFF.web.id

IT Staff Tutorial & Tips - Catatan ini akan menjelaskan langkah-langkah untuk mengkonfigurasi IPsec VPN Site-to-Site antara Sophos XG 210 dan Cyberoam CR50ia menggunakan preshared key. Dimana salah satu group di Batam sudah menggunakan perangkat Cyberoam Firewall. 

Berikut topologi dan skenarionya:


Network Diagram IPsec VPN Site-to-Site Antara Sophos dan Cyberoam - ITSTAFF.web.id


Location JAKARTA BATAM
Site Head Office Branch Office
Device Sophos XG 210 Cyberoam CR50ia
Device IP 192.168.101.254 192.168.231.254
LAN Subnet 192.168.101.0/24 192.168.231.0/24
LAN Port Port6 PortF
WAN Bandwidth Dedicated 30 Mbps Shared 100 Mbps
WAN IP 103.138.40.11 Dymanic IP
WAN Port Port1 PortA
IPsec Connection Type Site-to-Site Site-to-Site
IPsec Gateway Type Respond only Initiate the connection
IPsec Policy DefaultHeadOffice DefaultBranchOfficeForXG
IPsec Authentication Type Preshared key Preshared key

Oke lah kalau begitu, tanpa basa-basi lagi, langsung saja mari kita mulai konfigurasi...

1. Konfigurasi XG210-JAKARTA

  • Login ke Sophos XG 210 Firewall, lalu tambahkan LAN Subnet Jakarta dan Palembang, klik SYSTEM Host and services ⇒ IP host ⇒ Add
    • Local LAN (Jakarta Subnet)

      IP host Jakarta - ITSTAFF.web.id

    • Remote LAN (Batam Subnet)

      IP host Batam - ITSTAFF.web.id

    • ⇒ Save


  • Buat IPsec VPN connection, klik CONFIGURE VPN ⇒ IPsec connections ⇒ Add
    • General settings
      • Name: VPN_BATAM
      • Description: via WANP1
      • IP version: IPv4
      • Connection type: Site-to-Site
      • Gateway type: Respond only
      • Active on save: checked
      • Create firewall rule: unchecked
    • Encryption
      • Policy: DefaultHeadOffice
      • Authentication type: Preshared key
        • Preshared key: IPSecJktTOBtm098765
        • Repeat preshared key: IPSecJktTOBtm098765
    • Gateway settings
      • Local gateway
        • Listening interface: Port1 (WANP1)
        • Local ID type: Select local ID (default)
        • Local subnet ⇒ Add new item: 101.168.192_JKT
      • Remote gateway
        • Gateway address: *
        • Remote ID type: Select remote ID (default)
        • Remote subnet ⇒ Add new item: 231.168.192_BTM
      • Network Address Translation (NAT): unchecked
    • Advanced
      • User authentication mode: None
    • ⇒ Save


  • Setelah itu, buat dua firewall rules IPsec VPN traffic, klik PROTECT Firewall (v17) / Rules and policies (v18) ⇒ + Add firewall rule ⇒ User/network rule
    • Rule name *: LAN_VPN_BATAM
    • Action: Accept
    • Rule position: Top
    • Rule group: LAN to VPN
    • Source
      • Source zones * ⇒ Add new item: LAN
      • Source networks and devices * ⇒ Add new item: 101.168.192_JKT
      • During scheduled time: All the time
    • Destination & services
      • Destination zones * ⇒ Add new item: VPN
      • Destination networks * ⇒ Add new item: 231.168.192_BTM
      • Services *: Any
    • Identity (v17)
      • Match known users: unchecked
    • Web malware and content scanning (v17) / Security features (v18)
      • Unchecked all and none
    • Advanced (v17) / Other security features (v18)
      • Unchecked all and none
    • Log traffic
      • Log firewall traffic: checked
    • ⇒ Save

      Buat lagi satu firewall rule  
    • Rule name *: VPN_LAN_BATAM
    • Action: Accept
    • Rule position: Top
    • Rule group: VPN to LAN
    • Source
      • Source zones * ⇒ Add new item: VPN
      • Source networks and devices * ⇒ Add new item: 231.168.192_BTM
      • During scheduled time: All the time
    • Destination & services
      • Destination zones * ⇒ Add new item: LAN
      • Destination networks * ⇒ Add new item: 101.168.192_JKT
      • Services *: Any
    • Identity (v17)
      • Match known users: unchecked
    • Web malware and content scanning (v17) / Security features (v18)
      • Unchecked all and none
    • Advanced (v17) / Other security features (v18)
      • Unchecked all and none
    • Log traffic
      • Log firewall traffic: checked
    • ⇒ Save


2. Konfigurasi CR50IA-BATAM

  • Login ke Cyberoam CR50ia Firewall, lalu tambahkan LAN Subnet Batam dan Jakarta, klik OBJECTS Hosts ⇒ IP Host ⇒ Add 
    • Local LAN (Batam Subnet)

      IP Host Batam - ITSTAFF.web.id

    • Remote LAN (Jakarta Subnet)

      IP Host Jakarta - ITSTAFF.web.id

    • OK


  • Selanjutnya adalah membuat IPsec profile, disini saya mengikuti parameter IPsec profile DefaultBranchOffice di Sophos XG 210, klik VPN Policy ⇒ Add
    • General Settings
      • Name* : DefaultBrachOfficeForXG
      • Allow Re-keying: checked Enable
      • Key Negotiation Tries* : 0
      • Authentication Mode* : Main Mode
      • Pass Data In Compressed Format : uchecked
      • Phase 1 & 2

        Cyberoam IPsec Policy DefaultBranchOffice - ITSTAFF.web.id


      • ⇒ OK

  • Setelah membuat IPsec Policy, selanjutnya membuat IPsec VPN Connection, masih di VPN IPSec Connection ⇒ Add 
    • General settings
      • Name* : VPN_JAKARTA
      • Description : via WANPA
      • Connection Type* : Site-to-Site
      • Policy* : DefaultBranchOfficeForXG
      • Action on VPN Restart* : Initiate
    • Route Based Connection
      • Bind With An Interface : unchecked Enable
    • Authentication Details
      • Authentication Type* : Preshared Key
      • Preshared Key* : IPSecJktTOBtm098765
    • Enpoints Details
      • Local* : PortA (WANPA)
      • Remote* : 103.138.40.11
    • Network Detail
      • IP Family* : IPv4
    • Local
      • Local Subnet* ⇒ Add231.168.192_BTM
      • NATed LAN : Same as Local LAN address
      • Local ID : Select Local ID (default)
    • Remote
      • Allow NAT Traversal : unchecked Enable 
      • Remote LAN Network* : 101.168.192_JKT
      • Remote ID : Select Remote ID (default)
    • User Authentication
      • User Authentication Mode* : Disable
    • Quick Mode Selectors
      • Protocol* : All
    • ⇒ OK


  • Selanjutnya, buat dua firewall rules IPsec VPN traffic, klik FIREWALL Rule ⇒ Add
    • Rule Name
      • Name* : LAN to VPN
    • Basic Settings
      • Source
        • Zone * : LAN
        • Attach Identity : unchecked
        • Network / Host * ⇒ Add 231.168.192_BTM
        • Services * : Any Services
        • Schedule : All The Time
        • Action * :  Accept
      • Destination
        • Zone * : VPN
        • Network / Host * ⇒ Add 101.168.192_JKT
    • Security Policies : None & Unchecked All
    • QoS & Routing Policy : None (default)
    • Log Traffic : checked Enable
    • ⇒ OK

      Buat lagi satu firewall rule  
    • Rule Name
      • Name* : VPN to LAN
    • Basic Settings
      • Source
        • Zone * : VPN
        • Attach Identity : unchecked
        • Network / Host * ⇒ Add 101.168.192_JKT
        • Services * : Any Services
        • Schedule : All The Time
        • Action * :  Accept
      • Destination
        • Zone * : LAN
        • Network / Host * ⇒ Add 231.168.192_BTM
    • Security Policies : None & Unchecked All
    • QoS & Routing Policy : None (default)
    • Log Traffic : checked Enable
    • ⇒ OK

Setelah mengkonfigurasi kedua sisi Firewall, sekarang cek Status koneksi IPsec VPN yang barusan dibuat di XG210-JAKARATA dan CR50IA-BATAM.
  • Status XG210-JAKARTA, klik CONFIGURE VPN ⇒ IPsec connections

    Status IPsec VPN Sophos XG210 - ITSTAFF.web.id

  • Status CR50IA-BATAM, klik VPN IPSec ⇒ Connection 

    Status IPsec VPN Cyberoam CR50ia - ITSTAFF.web.id

Jika Status Active dan Connection sudah berwarna hijau, sekarang coba test ping dari perangkat di belakang Firewall, misal dari PC Desktop lokal di Jakarta maupun Batam untuk memastikan koneksi IPsec VPN Site-to-Site ini berjalan normal. Jika masih Request time out, silahkan cek Rules and Policies Firewall (LAN to VPN dan VPN to LAN).

Itu saja yang perlu dilakukan untuk membuat koneksi IPsec VPN menggunakan preshared key pada perangkat Sophos XG210 dan Cyberoam CR50ia, konfigurasi di atas bisa juga diterapkan pada Sophos XG Firewall Series maupun Cyberoam Firewall Series. Semoga catatan ini bisa berguna untuk saya dan yang membacanya.

NOTES
1. Make sure that VPN Firewall Rules are on the top of the Firewall Rule list.
2. In a Head and Branch Office configuration, the Cyberoam Firewall on the Branch office usually acts as the tunnel initiator and the Sophos Firewall on the Head Office as a responder due to the following reasons:
  • When the Branch Office device is configured with a Dynamic IP address, the Head Office device cannot initiate the connection.
  • As the Branch Offices number vary, it is recommended that each Branch Office retry the connection instead of the Head Office retrying all connections to Branch Offices.



whydnet-aboutITSTAFF.web.id
learning by doing!

[ADS] Bottom Ads

© 2020 - . All Rights Reserved.