How to configure establish IPSec VPN Site to site between Sophos XG and Palo alto firewall using DDNS.


This guide describes how to set up a site-to-site IPsec VPN connection between Sophos XG Firewall and Palo Alto Firewall using DDNS.


You need to register a DDNS account. In this article I register the DDNS account of the No-IP provider with the hostnames is for the Palo alto site.

1.Network Diagram

2.How to configure

Sophos Firewall

Go to VPN > IPSec Policies > Add.

Enter Name.
• Set Key exchange to IKEv2 and Authentication Mode to Main Mode.
• Set Key Negotiation Tries to 0.
• Select Allow Re-keying.

• Under Phase 1, set Key Life to 28800, Re-key Margin to 360 and Randomize Re-Keying Margin by to 50.
• Set DH Group (Key Group) to 2 (DH1024).
• Set Encryption to AES256 and Authentication to SHA2 512.

Under Phase 2, set PFS Group (DH Group) to None, and Key Life to 3600.
• Set Encryption to AES256 and Authentication to SHA2 512.

• Under Dead Peer Detection, set Check Peer After Every to 30 seconds and Wait for Response Up to as 120 seconds.
• Set When Peer Unreachable to Re-initiate.

Click Save

Configure IPsec Connection

Go to Configure > VPN > IPsec Connections and click Add.
• Under General Settings, enter Name.
• For IP Version, select IPv4.
• Set Connection Type to Site-to-Site and Gateway Type to Initiate the Connection.

Select Create Firewall rule to automatic create rule to allow VPN traffic.
• Under Encryption, set Policy to Sophos, which you have created.
• Set Authentication Type to Preshared Key. Enter and repeat Preshared key.

• Under Local Subnet, add LAN_SPXG.
• Under Remote Gateway, set Gateway Address to
• Under Remote Subnet, add LAN_SPH.

Click Save.

Palo alto Firewall

Go to Network Profiles > IKE Crypto > enter name PA_P1.
• In IKE Crypto Profile, add group2 to DH Group, aes-256-cbc to Encryption and sha512 to Authentication.
• Enter Seconds in Key Lifetime and 28800 as Lifetime.
• Set IKEv2 Authentication Multiple to 0

Click Ok

Go to Network > IPsec Crypto and create a profile.
• Enter Name.
• Set IPSec Protocol to ESP, and DH Group to no-pfs.
• Add aes-256-cbc to Encryption.
• Add sha512 to Authentication.
• Set Lifetime to seconds and enter 3600

Click Ok

Go to Device tab > Certificate Management > Certificates > Generate.

  • Certificate Type: choose Local
  • Enter Certificate Name
  • Common Name: enter
  • Click choose Certificate Authority
  • Choose Algorithm, Number of bits, Digest.
  • Certificate Attributes:
  • Click Add, choose Host Name and enter
  • Click Generate.

To add PA_P1 profile to IKE gateway:
• Go to Network > IKE Gateway > General and create a new gateway.
• Enter Name.
• Set Version to IKEv2 only mode.
• Set Address Type to IPv4.
• Set Interface to ethernet1/1, and Local IP Address to None.
• Set Peer IP Type to Static.
• For Peer IP Address, enter
• Set Authentication to Pre-Shared Key and enter Pre-Shared Key

Set Local Identification: Choose FQDN (hostname) and enter
Click OK.

Go to Network > IKE Gateway > Advanced Options.
• Under Common Options, select Enable Passive Mode, since Palo Alto will act as the responder for the IPsec connection.
• Under IKEv2 set IKE Crypto Profile to PA_P1, which you have created.
• Select Dead Peer Detection. Set Interval to 5.
Click OK.

Create Tunnel Interface
• Go to Network > Interface >Tunnel and click Add.
• Enter Interface Name.
• Select existing Virtual Router.
• For Security Zone, select layer 3 internal zone from which traffic will originate.

Click OK.

Go to Interfaces > Ethernet > Ethernet 1/1 > Advanced > DDNS.

Click choose Settings and Enable


Vendor: choose No-IP

Username và Password: Enter username and password you use to register DDNS account of No-ip vendor.

Certificate Profiles: choose New Certificate Profiles

Enter Name as VPN_Cer > click Add > CA Certificate choose CA_VPN. Click Ok.

Go to IPSec Tunnel > click Add.

Name: Enter name.

Tunel Interface: Choose tunnel.

IKE Gateway: choose PA, which you have created.

IPSec Crypto Profiles: Choose PA_P2.

Click Ok.

To enable VPN connection: choose tunelpa, click Enable and click Yes.

Configure Firewall Rule to allow VPN traffic.

Create Local Subnet và Remote Subnet.

Go to Object > Address. Click Add.

Create Local Subnet:

Create Remote Subnet:

Goto Policies > Security > Add.

LAN-VPN: Source (choose Local) – Destination (choose Remote)

VPN-LAN: Source (choose Remote) – Destination (choose Local)

Action: Allow.

Note: You must click Commit to save and excute all configure.

On Sophos XG

Go to Configure > VPN > IPsec Connections.
• Under Status, click Active and Connection to activate and establish connection.


Establish success IPSec VPN Site to site between Sophos XG and Palo alto firewall using DDNS.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.