Sophos XG: How to configure forward GRE traffic over IPSec on firmware version 18

October 7, 2019 Vincent Sophos 0

Overview

The article guides how to configure forward traffic for GRE to be transferred through IPSec, which helps those traffic to ensure data security according to IPSec standards

The article will be configured according to the following diagram

How to configure

Step 1: Create IPSec VPN Tunnel connection between 2 sites

  • On Sophos XG device, create 2 LAN layers of 2 sites
  • Hosts and Services -> IP Host -> Click Add to create the local LAN network layer
  • Hosts and Services -> IP Host -> Click Add to create the remote LAN layer
  • Create an IPSec connection site-to-site
  • VPN -> IPSec Connections -> Select Wizard in the right corner of the screen -> Name and click Start -> Select Site To Site
  • Set preshared key, preshared key will be used for both sites to authenticate with each other
  • In the Local WAN Port -> Select Port WAN of the device
  • In the Local Subnet section -> Select the network layer local LAN previous created
  • In the Remote VPN Server section -> Enter the IP of the WAN port at the other end site
  • In the Remote Subnet section -> Select the previously created Remote LAN network layer
  • In the User Authentication section -> Select Disabled
  • When the configuration completed -> Click the Active icon to turn on IPSec connection

** You will configure the same for the other site, to complete the configuration of IPSec connection on the two sites

Step 2: Create 2 firewall rule that allow VPN traffic

  • Rules and Policies-> Click Add Firewall rule
  • Name the rule
  • In the Source Zones section: Select LAN
  • In the Source Networks and Devices section: Select the local LAN network layer
  • In the Destination Zones section: Choose VPN
  • In the Destination Networks section: Select the remote LAN network layer

-> Click Save -> Complete the rule that allows traffic from the LAN to go to the VPN

  • Firewall -> Click Add Firewall rule -> Select User/Network rules
  • Name the rule
  • In the Source zones section: Select VPN
  • In the Source Networks and Devices section: Select the remote LAN network layer
  • In the Destination Zones section: Select LAN
  • In the Destination Networks section: Select the local LAN network layer

-> Click Save -> Complete the rule that allows traffic to go from the VPN to the LAN

** You configure the same for the other site to complete the rule creation process for the two network layers on the two sites that can be connected

Step 3: Create GRE Tunnel connection between two sites

Step 4: Perform Ping and Tracert to check the paths of two sites across each other

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.