How do I set up a Site-to-Site VPN between Synology Router and a Sophos XG firewall device?

How do I set up a Site-to-Site VPN between Synology Router and a Sophos XG firewall device?

Purpose

This tutorial guides you through the setup of Site-to-Site VPN (license required) between Synology Router and Sophos XG Firewall device. This article uses Sophos XG 105 for example.

Notes:

  1. For more information on our licensing plans, refer to this webpage.
  2. If you use a different Sophos XG series device, make sure that it supports IPSec.

Environment

Make sure that your environment is suitable for setting up a Site-to-Site VPN by referring to the requirements below.

  • Make sure that your Synology Router is set up and running SRM 1.1.5 or above.
  • Install VPN Plus Server 1.2.0 or above in SRM.

This tutorial is based on the example settings shown in the table below:

  • Synology Router:
    • Internal subnet: 192.168.1.0/24
    • Gateway: 10.11.71.33
  • Sophos XG 105 (firmware: SFOS 16.05.6 MR-6):
    • Internal subnet: 172.16.16.0/24
    • Gateway: 10.11.68.188
    • Connected port: #4
  • Pre-shared key: 123456789
  • Encryption configuration:
    • Phase 1:
      • Encryption: AES256
      • Authentication: SHA-256
      • Key life: 3600
      • DH Group: 2 (modp 1024)
      • DPD (Dead Peer Detection): Enable
    • Phase 2:
      • Encryption: AES256
      • Authentication: SHA-256
      • Key life: 3600
      • DH Group: 2 (modp 1024)

Resolution

Site-to-Site VPN configuration on Sophos XG 105

Sign in to your Sophos XG 105's configuration interface, and follow the steps below:

  1. Go to VPN and click Add.
  2. Under General Settings, complete the setup based on the example provided:
    • Name: This example uses "Synology".
    • Connection Type: Select Site-to-Site.
    • Policy: Select Create new from the drop-down list to create a new VPN policy. Fill out the information based on the example provided:
      • Name: Enter a customized name for the policy. This example uses "Synology".
      • Description: Add a description if needed.
      • Allow Re-keying: Enable this option to automatically start the negotiation process before the key expires.
      • Key Negotiation Tries: Maximum number of negotiation attempts.
      • Authentication Mode: Select Main Mode or Aggressive Mode. Both devices (i.e. Synology Router and Sophos XG 105) must have the same setting. This example uses Main Mode.
      • Pass data in Compressed Format: Enable this option to increase the throughput.
      • Phase 1:
        • Algorithm
          • Encryption: Select at least one encryption method for Phase 1. The other device must adopt the same method. This example uses AES256.
          • Authentication: Select at least one authentication method for Phase 1. The other device must adopt the same method. This example uses SHA-256.
        • DH group [Key group]: Specify the same Diffie-Hellman (DH) group for both devices. This example uses the default value.
        • Key Life: Determine how length of the key’s validity. This example uses the default value.
        • Re-key Margin: Specify the time after which to automatically start the negotiation process without interrupting the communication before the key expires.
        • Randomize Re-Keying Margin by: This example uses the default value.
        • Dead Peer Detection: Enable to check at regular intervals if peer is live or not. You can configure the settings after enabling this option. This example uses the default settings.
        • Action When Peer Unreachable: This example uses Re-initiate.
      • Phase 2:
        • Algorithm
          • Encryption: Select at least one encryption method for Phase 2. The other device must adopt the same methods. This example uses AES256.
          • Authentication: Select at least one authentication method for Phase 2. The other device must adopt the same methods. This example uses SHA-256.
        • PFS Group [DH Group]: This example uses the same settings as in Phase 1.
        • Key Life: Determine how length of the key’s validity. This example uses the default value.
      • Active on VPN Restart: Determine the action to take on the connection when the VPN service or Sophos device restarts. Here, we select Initiate.
  3. Authentication Details:
    • Authentication Type: This example uses Preshared Key.
    • Preshared Key: Specify the pre-shared key, and use the same settings that you used on the other device (i.e. Synology Router). This example uses 123456789.
  4. Endpoints Details:
    • Local: Select the local port that will act as one of the end-points of the tunnel. This example uses Port4.
    • Remote: Enter the IP address of the Synology Router. This example uses 10.11.71.33.
  5. Network Details:
    • IP family: Select IPv4 or IPv6. This example uses IPv4.
    • In Local Subnet under the Local section, select the local network to which remote users will be granted access. Click Add, and select Create new from the drop-down list. Configure the following in the pop-up window:
      • Name: Enter the hostname. This example uses SophosXG105.
      • IP Address/Subnet: Enter the local LAN IP address, and specify the Subnet. This example uses 172.16.16.0 for the IP address, and /24(255.255.255.0) for the subnet.
    • In Remote LAN Network under the Remote section, select the remote network that you want to access via this connection. Click Add New Item and select Create new from the drop-down list. Configure the following in the pop-up window:
      • Name: Enter the hostname. This example uses SynologyRouter.
      • IP Address/Subnet: Enter the remote LAN IP address, and specify the Subnet. This example uses 192.168.1.0 for the IP address, and /24(255.255.255.0) for subnet.

Notes:

  1. For more details on above the settings, you can refer to the Sophos XG Firewall Administrator Guide.

Site-to-Site VPN configuration on Synology Router

Sign in to SRM on your Synology Router, and follow the steps below:

  1. Go to VPN Plus Server > Site-to-Site VPN.
  2. Click Add > Manually.
  3. Under the General tab, configure the following settings:
    • Profile name: Enter a customized name for the profile. This example uses "RT2600ac".
    • Pre-shared key: Enter the same pre-shared key that you used on Sophos XG 105.
    • Under the Local Site section, configure the following settings:
      • Outbound IP: Enter your Synology Router's IP address. This example uses 10.11.71.33.
      • Local ID: You can enter a public IP address or FQDN to specify the Local ID. This example uses 10.11.71.33.
      • Private subnet: Specify the local network under the private subnet of your Synology Router. This example uses Local Network (192.168.1.0/24).
    • Under the Remote Site section, configure the following settings:
      • IP address/FQDN: Enter Sophos XG105's IP address. This example uses 10.11.68.188.
      • Remote ID: You can enter a public IP address or FQDN to specify the Remote ID. This example uses 10.11.68.188.
      • Private subnet: Specify the local network under the private subnet of Sophos XG 105. This example uses 172.16.16.0/24.
    • Under the Dead Peer Detection section, tick Enable to check at regular intervals if peer is live or not. You can configure the settings after enabling this option. This example uses the default settings.
  4. Under the Encryption tab, all of the settings must be identical as those on Sophos XG 105.
  5. Once the setup is complete, you will be able to see the status of the Site-to-Site VPN tunnel on both of the devices.
Purpose
Environment
Resolution
Site-to-Site VPN configuration on Sophos XG 105
Site-to-Site VPN configuration on Synology Router
Further reading