Sophos XG Firewall - Konfigurasi IPsec VPN Site-to-Site Menggunakan Preshared Key

Hari ini saya dihadapkan dengan berdirinya salah satu group di Palembang, Sumatera Selatan. Dimana site tersebut membutuhkan koneksi ke Jakarta untuk mengakses beberapa server. Catatan ini akan menjelaskan langkah-langkah untuk mengkonfigurasi koneksi IPsec VPN menggunakan preshared key.

Berikut topologi dan skenarionya:


IPsec VPN Network Diagram - ITSTAFF.web.id


Location JAKARTA PALEMBANG
Site Head Office Branch Office
Device Sophos XG 210 Sophos XG 210
Device IP 192.168.101.254 192.168.201.254
LAN Subnet 192.168.101.0/24 192.168.201.0/24
LAN Port Port6 Port6
WAN Bandwidth Dedicated 30 Mbps Dedicated 10 Mbps
WAN IP 103.138.40.11 203.238.50.21
WAN Port Port1 Port1
IPsec Connection Type Site-to-Site Site-to-Site
IPsec Gateway Type Respond only Initiate the connection
IPsec Policy DefaultHeadOffice DefaultBranchOffice
IPsec Authentication Type Preshared key Preshared key

Oke lah kalau begitu, tanpa basa-basi lagi, langsung saja mari kita mulai konfigurasi.

1. Konfigurasi XG210-JAKARTA

  • Login ke Sophos XG 210 Firewall, lalu tambahkan LAN Subnet Jakarta dan Palembang, klik SYSTEM Host and services ⇒ IP host ⇒ Add 
    • Local LAN (Jakarta Subnet)

      IP host Jakarta - ITSTAFF.web.id

    • Remote LAN (Palembang Subnet)

      IP host Palembang - ITSTAFF.web.id

    • Save

  • Buat IPsec VPN connection, klik CONFIGURE VPN ⇒ IPsec connections ⇒ Add
    • General settings
      • Name: VPN_PALEMBANG
      • Description: via WANP1
      • IP version: IPv4
      • Connection type: Site-to-Site
      • Gateway type: Respond only
      • Active on save: checked
      • Create firewall rule: unchecked
    • Encryption
      • Policy: DefaultHeadOffice
      • Authentication type: Preshared key
        • Preshared key: IPSecJktTOPlg098765
        • Repeat preshared key: IPSecJktTOPlg098765
    • Gateway settings
      • Local gateway
        • Listening interface: Port1 (WANP1)
        • Local ID type: Select local ID (default)
        • Local subnet ⇒ Add new item: 101.168.192_JKT
      • Remote gateway
        • Gateway address: 203.238.50.21
        • Remote ID type: Select remote ID (default)
        • Remote subnet ⇒ Add new item: 201.168.192_PLG
      • Network Address Translation (NAT): unchecked
    • Advanced
      • User authentication mode: None
    • Save

  • Setelah itu, buat dua firewall rules IPsec VPN traffic, klik PROTECT Firewall (v17) / Rules and policies (v18) + Add firewall ruleUser/network rule
    • Rule name *: LAN_VPN_PALEMBANG
    • Action: Accept
    • Rule position: Top
    • Rule group: LAN to VPN
    • Source
      • Source zones * ⇒ Add new item: LAN
      • Source networks and devices * ⇒ Add new item: 101.168.192_JKT
      • During scheduled time: All the time
    • Destination & services
      • Destination zones * ⇒ Add new item: VPN
      • Destination networks * ⇒ Add new item: 201.168.192_PLG
      • Services *: Any
    • Identity (v17)
      • Match known users: unchecked
    • Web malware and content scanning (v17) / Security features (v18)
      • Unchecked all and none
    • Advanced (v17) / Other security features (v18)
      • Unchecked all and none
    • Log traffic
      • Log firewall traffic: checked
    • Save

      Buat lagi satu firewall rule  
    • Rule name *: VPN_LAN_PALEMBANG
    • Action: Accept
    • Rule position: Top
    • Rule group: VPN to LAN
    • Source
      • Source zones * ⇒ Add new item: VPN
      • Source networks and devices * ⇒ Add new item: 201.168.192_PLG
      • During scheduled time: All the time
    • Destination & services
      • Destination zones * ⇒ Add new item: LAN
      • Destination networks * ⇒ Add new item: 101.168.192_JKT
      • Services *: Any
    • Identity (v17)
      • Match known users: unchecked
    • Web malware and content scanning (v17) / Security features (v18)
      • Unchecked all and none
    • Advanced (v17) / Other security features (v18)
      • Unchecked all and none
    • Log traffic
      • Log firewall traffic: checked
    • Save


2. Konfigurasi XG210-PALEMBANG

  • Login ke Sophos XG 210 Firewall, lalu tambahkan LAN Subnet Palembang dan Jakarta, klik SYSTEM Host and services ⇒ IP host ⇒ Add 
    • Local LAN (Palembang Subnet)

      IP host Palembang - ITSTAFF.web.id

    • Remote LAN (Jakarta Subnet)

      IP host Jakarta - ITSTAFF.web.id

    • Save


  • Buat IPsec VPN connection, klik CONFIGURE VPN ⇒ IPsec connections ⇒ Add
    • General settings
      • Name: VPN_JAKARTA
      • Description: via WANP1
      • IP version: IPv4
      • Connection type: Site-to-Site
      • Gateway type: Initiate the connection
      • Active on save: checked
      • Create firewall rule: unchecked
    • Encryption
      • Policy: DefaultBranchOffice
      • Authentication type: Preshared key
        • Preshared key: IPSecJktTOPlg098765
        • Repeat preshared key: IPSecJktTOPlg098765
    • Gateway settings
      • Local gateway
        • Listening interface: Port1 (WANP1)
        • Local ID type: Select local ID (default)
        • Local subnet ⇒ Add new item: 201.168.192_PLG
      • Remote gateway
        • Gateway address: 103.138.40.11
        • Remote ID type: Select remote ID (default)
        • Remote subnet ⇒ Add new item: 101.168.192_JKT
      • Network Address Translation (NAT): unchecked
    • Advanced
      • User authentication mode: None
    • Save


  • Setelah itu, buat dua firewall rules IPsec VPN traffic, klik PROTECT Firewall (v17) / Rules and policies (v18) ⇒ + Add firewall rule ⇒ User/network rule
    • Rule name *: LAN_VPN_JAKARTA
    • Action: Accept
    • Rule position: Top
    • Rule group: LAN to VPN
    • Source
      • Source zones * ⇒ Add new item: LAN
      • Source networks and devices * ⇒ Add new item: 201.168.192_PLG
      • During scheduled time: All the time
    • Destination & services
      • Destination zones * ⇒ Add new item: VPN
      • Destination networks * ⇒ Add new item: 101.168.192_JKT
      • Services *: Any
    • Identity (v17)
      • Match known users: unchecked
    • Web malware and content scanning (v17) / Security features (v18)
      • Unchecked all and none
    • Advanced (v17) / Other security features (v18)
      • Unchecked all and none
    • Log traffic
      • Log firewall traffic: checked
    • Save

      Buat lagi satu firewall rule
    • Rule name *: VPN_LAN_JAKARTA
    • Action: Accept
    • Rule position: Top
    • Rule group: VPN to LAN
    • Source
      • Source zones * ⇒ Add new item: VPN
      • Source networks and devices * ⇒ Add new item: 101.168.192_JKT
      • During scheduled time: All the time
    • Destination & services
      • Destination zones * ⇒ Add new item: LAN
      • Destination networks * ⇒ Add new item: 201.168.192_PLG
      • Services *: Any
    • Identity (v17)
      • Match known users: unchecked
    • Web malware and content scanning (v17) / Security features (v18)
      • Unchecked all and none
    • Advanced (v17) / Other security features (v18)
      • Unchecked all and none
    • Log traffic
      • Log firewall traffic: checked
    • Save

Setelah mengkonfigurasi kedua sisi Firewall, sekarang cek Status koneksi IPsec VPN yang barusan dibuat di XG210-JAKARATA dan XG210-PALEMBANG, klik CONFIGURE VPN ⇒ IPsec connections

Status IPsec VPN - ITSTAFF.web.id

Jika Status Active dan Connection sudah berwarna hijau, sekarang coba test ping dari perangkat di belakang Firewall, misal dari PC Desktop lokal di Jakarta maupun Palembang untuk memastikan koneksi IPsec VPN Site-to-Site ini berjalan normal. Jika masih Request time out, silahkan cek Rules and Policies Firewall (LAN to VPN dan VPN to LAN).

Itu saja yang perlu dilakukan untuk membuat koneksi IPsec VPN menggunakan preshared key pada perangkat Sophos XG210, konfigurasi di atas bisa juga diterapkan pada Sophos XG Firewall Series. Semoga catatan ini bisa berguna untuk saya dan yang membacanya.



whydnet-aboutITSTAFF.web.id
learning by doing!

[ADS] Bottom Ads

© 2020 - . All Rights Reserved.