Sophos XG: How to configure forward GRE traffic over IPSec

April 8, 2019 Vincent Sophos 0

Overview

The article guides how to configure forward traffic for GRE to be transferred through IPSec, which helps those traffic to ensure data security according to IPSec standards

The article will be configured according to the following diagram

How to configure

Step 1: Create IPSec VPN Tunnel connection between 2 sites

  • On Sophos XG device, create 2 LAN layers of 2 sites
  • Hosts and Services -> IP Host -> Click Add to create the local LAN network layer
  • Hosts and Services -> IP Host -> Click Add to create the remote LAN layer
  • Create an IPSec connection site-to-site
  • VPN -> IPSec Connections -> Select Wizard in the right corner of the screen -> Name and click Start -> Select Site To Site
  • Set preshared key, preshared key will be used for both sites to authenticate with each other
  • In Local WAN Port -> Select Port WAN of the device
  • In the Local Subnet section -> Select the network layer local LAN previously created
  • In the Remote VPN Server section -> Enter the IP of the WAN port at the other end site
  • In the Remote Subnet section -> Select the previously created Remote LAN network layer
  • In the User Authentication section -> Select Disabled
  • When the configuration is completed -> Click the Active icon to turn on IPSec connection

** You will configure the same for the other site, to complete the configuration of IPSec connection on the two sites

Step 2: Create 2 firewall rule that allow VPN traffic

  • Firewall -> Click Add Firewall rule -> Select User/Network rules
  • Name the rule
  • In the Source Zones section: Select LAN
  • In the Source Networks and Devices section: Select the local LAN network layer
  • In the Destination Zones section: Choose VPN
  • In the Destination Networks section: Select the remote LAN network layer

-> Click Save -> Complete the rule that allows traffic from the LAN to go to the VPN


  • Firewall -> Click Add Firewall rule -> Select User/Network rules
  • Name the rule
  • In the Source zones section: Select VPN
  • In the Source Networks and Devices section: Select the remote LAN network layer
  • In the Destination Zones section: Select LAN
  • In the Destination Networks section: Select the local LAN network layer

-> Click Save -> Complete the rule that allows traffic to go from the VPN to the LAN

** You configure the same for the other site to complete the rule creation process for the two network layers on the two sites that can be connected

Step 3: Create GRE Tunnel connection between two sites

You can consult the GRE Tunnel creation guide between the two sites here

Step 4: Perform Ping and Tracert to check the paths of two sites across each other

** If you have difficulty configuring Sophos products in VietNam, please contact us:

EMAIL: info@thegioifirewall.com

HOTLINE: 02862711677

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.