[TUTORIAL] Sophos XG Firewall - Konfigurasi IPsec VPN Site-to-Site Preshared Key

Hari ini saya dihadapkan dengan berdirinya salah satu group di Palembang, Sumatera Selatan. Dimana site tersebut membutuhkan koneksi ke Jakarta untuk mengakses beberapa server dan aplikasi. Dimana catatan ini akan menjelaskan langkah-langkah untuk membuat koneksi IPsec VPN Site-to-Site Preshared Key di Sophos XG Firewall.

Berikut Topologi & Skenarionya

Location	JAKARTA	PALEMBANG
Site	Head Office	Branch Office
Device Name	Sophos XG 210	Sophos XG 210
Device Firmware	SFOS 17.5.15 MR-15 SFOS 18.5.4 MR4-Build418	SFOS 17.5.14 MR-14-1 SFOS 17.5.15 MR-15
Device IP	192.168.101.254	192.168.201.254
LAN Subnet	192.168.101.0/24	192.168.201.0/24
LAN Port	Port6	Port6
WAN Bandwidth	Dedicated 30 Mbps	Dedicated 20 Mbps
WAN IP	103.138.40.11	203.238.50.21
WAN Port	Port1	Port1
IPsec Connection Type	Site-to-Site	Site-to-Site
IPsec Gateway Type	Respond only	Initiate the connection
IPsec Policy	DefaultHeadOffice	DefaultBranchOffice
IPsec Authentication Type	Preshared key	Preshared key

Oke lah kalau begitu, tanpa basa-basi lagi, langsung saja mari kita mulai konfigurasi...

1. Konfigurasi XG210-JAKARTA - Head Office

1.1. Login ke Sophos XG210 Firewall, langkah pertama adalah menambahkan LAN Subnet (Jakarta dan Palembang), klik SYSTEM Host and services ⇒ IP host ⇒ Add

• Local LAN (Jakarta Subnet)

• Remote LAN (Palembang Subnet)

• Save

1.2. Sekarang membuat IPsec VPN connection, klik CONFIGURE VPN ⇒ IPsec connections ⇒ Add

• General settings
• Name: VPN_PLG
• IP version: IPv4
• Connection type: Site-to-Site
• Gateway type: Respond only
• Active on save checked
• Create firewall rule unchecked
• Encryption
• Policy: DefaultHeadOffice
• Authentication type: Preshared key
• Preshared key: <Password IPsec>
• Repeat preshared key: <Password IPsec>
• Gateway settings
Local gateway
• Listening interface: Port1 (WAN1)
• Local ID type: Select local ID (default)
• Local subnet: Add new item ⇒ 101.168.192_JKT
Remote gateway
• Gateway address: 203.238.50.21
• Remote ID type: Select remote ID (default)
• Remote subnet: Add new item ⇒ 201.168.192_PLG
• Network Address Translation (NAT) unchecked
• Advanced: User authentication mode: None
• Save

1.3. Setelah itu, membuat dua Firewall Rules untuk IPsec VPN traffic, klik PROTECT Firewall (v17) / Rules and policies (v18) ⇒ + Add firewall rule ⇒ User/network rule

1.3.1. Group LAN to VPN
• Rule name *: LAN_VPN_PLG
• Action: Accept
• Log firewall traffic checked
• Rule position: Top
• Rule group: LAN to VPN
• Source
• Source zones *: Add new item ⇒ LAN
• Source networks and devices *: Add new item ⇒ 101.168.192_JKT
• During scheduled time: All the time
• Destination and services
• Destination zones *: Add new item ⇒ VPN
• Destination networks *: Add new item ⇒ 201.168.192_PLG
• Services *: Any
• Identity (v17): Match known users unchecked
• Web malware and content scanning (v17) / Security features (v18)
• Web policy: None
• Scan FTP for malware checked
• Unchecked All
• Advanced (v17) / Other security features (v18)
• App control: None
• IPS: None
• Shape traffic: None
• Scan email content: None
• Save

1.3.2. Group VPN to LAN
• Rule name *: VPN_LAN_PLG
• Action: Accept
• Log firewall traffic checked
• Rule position: Top
• Rule group: VPN to LAN
• Source
• Source zones *: Add new item ⇒ VPN
• Source networks and devices *: Add new item ⇒ 201.168.192_PLG
• During scheduled time: All the time
• Destination and services
• Destination zones *: Add new item ⇒ LAN
• Destination networks *: Add new item ⇒ 101.168.192_JKT
• Services *: Any
• Identity (v17): Match known users unchecked
• Web malware and content scanning (v17) / Security features (v18)
• Web policy: None
• Scan FTP for malware checked
• Unchecked All
• Advanced (v17) / Other security features (v18)
• App control: None
• IPS: None
• Shape traffic: None
• Scan email content: None
• Save

Berikut posisi atau penempatan Firewall Rules yang saya terapkan pada perangkat Sophos XG210 Firewall.

• LAN to VPN
• LAN_VPN_PLG (1.3.1)
• WAN to LAN
• LAN to WAN
• LAN to LAN
• VPN to LAN
• VPN_LAN_PLG (1.3.2)

2. Konfigurasi XG210-PALEMBANG - Branch Office

2.1. Login ke Sophos XG210 Firewall, langkah pertama adalah menambahkan LAN Subnet (Palembang dan Jakarta), klik SYSTEM Host and services ⇒ IP host ⇒ Add

• Local LAN (Palembang Subnet)

• Remote LAN (Jakarta Subnet)

• Save

2.2. Sekarang membuat IPsec VPN connection, klik CONFIGURE VPN ⇒ IPsec connections ⇒ Add

• General settings
• Name: VPN_JKT
• IP version: IPv4
• Connection type: Site-to-Site
• Gateway type: Initiate the connection
• Active on save checked
• Create firewall rule unchecked
• Encryption
• Policy: DefaultBranchOffice
• Authentication type: Preshared key
• Preshared key: <Password IPsec>
• Repeat preshared key: <Password IPsec>
• Gateway settings
Local gateway
• Listening interface: Port1 (WAN1)
• Local ID type: Select local ID (default)
• Local subnet: Add new item ⇒ 201.168.192_PLG
Remote gateway
• Gateway address: 103.138.40.11
• Remote ID type: Select remote ID (default)
• Remote subnet: Add new item ⇒ 101.168.192_JKT
• Network Address Translation (NAT) unchecked
• Advanced: User authentication mode: None
• Save

2.3. Setelah itu, membuat dua Firewall Rules untuk IPsec VPN traffic, klik PROTECT Firewall (v17) / Rules and policies (v18) ⇒ + Add firewall rule ⇒ User/network rule

2.3.1. Group LAN to VPN
• Rule name *: LAN_VPN_JAKARTA
• Action: Accept
• Log firewall traffic checked
• Rule position: Top
• Rule group: LAN to VPN
• Source
• Source zones *: Add new item ⇒ LAN
• Source networks and devices *: Add new item ⇒ 201.168.192_PLG
• During scheduled time: All the time
• Destination and services
• Destination zones *: Add new item ⇒ VPN
• Destination networks *: Add new item ⇒ 101.168.192_JKT
• Services *: Any
• Identity (v17): Match known users unchecked
• Web malware and content scanning (v17) / Security features (v18)
• Web policy: None
• Scan FTP for malware checked
• Unchecked All
• Advanced (v17) / Other security features (v18)
• App control: None
• IPS: None
• Shape traffic: None
• Scan email content: None
• Save

2.3.2. Group VPN to LAN
• Rule name *: VPN_LAN_JAKARTA
• Action: Accept
• Log firewall traffic checked
• Rule position: Top
• Rule group: VPN to LAN
• Source
• Source zones *: Add new item ⇒ VPN
• Source networks and devices *: Add new item ⇒ 101.168.192_JKT
• During scheduled time: All the time
• Destination and services
• Destination zones *: Add new item ⇒ LAN
• Destination networks *: Add new item ⇒ 201.168.192_PLG
• Services *: Any
• Identity (v17): Match known users unchecked
• Web malware and content scanning (v17) / Security features (v18)
• Web policy: None
• Scan FTP for malware checked
• Unchecked All
• Advanced (v17) / Other security features (v18)
• App control: None
• IPS: None
• Shape traffic: None
• Scan email content: None
• Save

Berikut posisi atau penempatan Firewall Rules yang saya terapkan pada perangkat Sophos XG210 Firewall.

• LAN to VPN
• LAN_VPN_JAKARTA (2.3.1)
• WAN to LAN
• LAN to WAN
• LAN to LAN
• VPN to LAN
• VPN_LAN_JAKARTA (2.3.2)

3. Pengujian Tunnel IPsec VPN Site-to-Site Connections

Dengan konfigurasi diatas, harusnya tunnel IPsec VPN Site-to-Site sudah terbentuk. Kalian bisa cek statusnya di Sophos XG210 Jakarta & Palembang, klik CONFIGURE VPN ⇒ IPsec connections

Jika Status Active dan Connection sudah berwarna hijau, sekarang saatnya test koneksi atau ping dari perangkat di bawah Firewall, misal dari komputer desktop lokal di masing-masing site Jakarta maupun Palembang untuk memastikan koneksi IPsec VPN Site-to-Site ini berjalan dan bekerja. Jika masih Request time out, silahkan cek Rules and Policies Firewall (LAN to VPN & VPN to LAN).

Itu saja yang saya lakukan dalam membuat koneksi IPsec VPN Site-to-Site Preshared Key di Sophos XG210, konfigurasi di atas bisa juga diterapkan pada Sophos XG Firewall Series. Semoga catatan ini bisa berguna untuk saya dan kalian yang membacanya.

Referensi: Sophos XG Firewall - How to set a Site-to-Site IPsec VPN connection using a preshared key