How to configure IPSec Route-Based VPN between two Sophos Firewall devices

1.The purpose of the article

In this article, techbast will guide you to configure IPSec Route-Based VPN between two Sophos Firewall devices to connect two sites together.

2.What is the difference between IPSec Routed-Based VPN and IPSec Site-to-Site?

For IPSec Site-to-Site VPN when you complete the configuration, the two devices will automatically create a connection tunnel to connect to each other, and the local and remote network layers on both devices will be automatically routed through the IPSec Site-to-Site VPN tunnel.

For IPSec Route-Based VPN when the configuration is completed, the two devices will automatically create a virtual port on each device named xfrm1, these two ports will be the two ports on the two ends of the device and we need to make sure the two ports communicate with each other.

As for the routing part, we will have to manually route the local and remote network subnet through the xfrm1 virtual port on both devices.

This mechanism of operation is almost similar to GRE Tunnel, but traffic on GRE Tunnel is not encrypted and traffic on IPSec Route-Based VPN is encrypted.

3.Diagram

Details:

Head office:

  • We have an internet connection connected to the Sophos XG Firewall 1 device on port 2 with IP 192.168.2.120.
  • The LAN is configured with network layer 10.145.41.0/24.

Branch office:

  • We have an internet connection connected to the Sophos XG Firewall 2 device on port 2 with IP 192.168.2.121.
  • The LAN is configured with network layer 10.146.41.0/24.

4.Scenario

We will perform IPSec Route-Base VPN configuration on 2 Sophos XG Firewall devices 1 and 2 so that the LAN layer on both sites can connect to each other.

5.Step to take

Head office:

  • Create profile
  • Create IPSec connection
  • Configure virtual port xfrm1
  • Create Static Route
  • Create policy

Branch office:

  • Create profile
  • Create IPSec connection
  • Configure virtual port xfrm1
  • Create Static Route
  • Create policy

Result.

6.Configuration

6.1.Head office

6.1.1.Create profile

We need to create 2 profiles for 2 subnet at the site head and branch office.

To create, go to SYSTEM > Hosts and Services > click Add.

Create a profile for subnet 10.145.41.0/24 according to the following information:

  • Name*: Local
  • IP version*: IPv4
  • Type*: Network
  • IP address*: 10.145.41.0 – Subnet: /24(255.255.255.0)
  • Click Save

Similarly, we create a profile for subnet 10.146.41.0/24 with the following information:

  • Name*: Remote
  • IP version*: IPv4
  • Type*: Network
  • IP address*: 10.146.41.0 – Subnet: /24(255.255.255.0)
  • Click Save
6.1.2.Tạo IPSec connection

To create an IPSec connection go to Configure > VPN > IPSec connections > click Add.

We need to configure the following 3 parts: General settings, Encryption, Gateway settings.

General settings:

  • Name: VPN_XG1_TO_XG2
  • IP version: Dual
  • Connection type: Tunnel interface
  • Gateway type: Respond only
  • Active on save: uncheck
  • Create firewall rule: uncheck

Encryption:

  • Policy: select IKEv2
  • Authentication type: select Preshared key
  • Preshared key: enter password for VPN connection
  • Repeat preshared key: re-enter password for VPN connection password

Gateway settings:

  • Listening interface: chọn Port 2 – 192.168.2.120
  • Gateway address: enter XG 2’s WAN IP 192.168.2.121
  • Click Save

After creating an IPSec connection we need to left-click on the circle icon in the Active column to turn on this connection.

6.1.3.Cấu hình cổng ảo xfrm1

After creating IPSec connections, the virtual port xfrm1 will be automatically created to configure, go to Configure > Network > left-click on Port 2 we will see the xfrm1 port appear.

Left-click on the port name xfrm1 to configure and configure the following parameters:

IPv4/netmask*: enter ip 1.1.1.1 and select subnet mask as 255.255.255.0/24

Click OK

6.1.4. Tạo Static Route

In the next step, we will create a static route to route the subnet 10.146.41.0/24 of the branch office site through the xfrm1 port.

To configure go to Configure > Routing > click Add.

Configure according to the following parameters:

  • Destination IP/ Netmask*: enter branch office subnet as 10.146.41.0/24
  • Gateway: enter the IP of the xfrm1 port of the branch office site is 1.1.1.2
  • Interface: select the port xfrm1-1.1.1.1 that we just configured.
  • Click Save
6.1.5.Tạo policy

Finally, we need to create a policy that allows traffic to flow between the two sites.

Configure the Policy according to the following parameters:

  • Rule Status: ON
  • Rule name*: VPN_XG1_TO_XG2
  • Action: Accept
  • Rule Position: Top
  • Rule Group: None
  • Log firewall traffic: check on box
  • Source zones*: select LAN and VPN
  • Source networks and devices: select 2 profile Local and Remote
  • During scheduled time: select All the time
  • Destination zones*: select LAN and VPN
  • Destination network*: select 2 profile Local and Remote
  • Service*: select Any
  • Click Save

6.2.Branch office

6.2.1.Create profile

We need to create 2 profiles for 2 subnets at the site head and branch office.

To create, go to SYSTEM > Hosts and Services > click create.

Create a profile for subnet 10.146.41.0/24 according to the following information:

  • Name*: Local
  • IP version*: IPv4
  • Type*: Network
  • IP address*: 10.146.41.0 – Subnet: /24(255.255.255.0)
  • Click Save

Similarly, we create a profile for subnet 10.146.41.0/24 with the following information:

  • Name*: Remote
  • IP version*: IPv4
  • Type*: Network
  • IP address*: 10.145.41.0 – Subnet: /24(255.255.255.0)
  • Click Save
6.2.2.Tạo IPSec connection

To create an IPSec connection go to Configure > VPN > IPSec connections > click Add.

We need to configure the following 3 parts: General settings, Encryption, Gateway settings.

General settings:

  • Name: VPN_XG2_TO_XG1
  • IP version: Dual
  • Connection type: Tunnel interface
  • Gateway type: Initiate the connection
  • Active on save: uncheck
  • Create firewall rule: uncheck

Encryption:

  • Policy: select IKEv2
  • Authentication type: select Preshared key
  • Preshared key: enter the password for the VPN connection (enter the same as the Head office site)
  • Repeat preshared key: re-enter the VPN connection password (enter the same as the Head office site)

Gateway settings:

  • Listening interface: select Port 2 – 192.168.2.121
  • Gateway address: enter XG 1’s WAN IP as 192.168.2.120
  • Click Save
6.2.3.Cấu hình cổng ảo xfrm1

After creating IPSec connections, the virtual port xfrm1 will be automatically created to configure, go to Configure > Network > left-click on Port 2 we will see the xfrm1 port appear.

Left-click on the port name xfrm1 to configure and configure the following parameters:

IPv4/netmask*: enter IP 1.1.1.2 and select subnet mask 255.255.255.0/24

Click Save.

6.2.4. Tạo Static Route

In the next step we will create a static route to route the 10,145.41.0/24 subnet of the head office site through the xfrm1 port.

To configure go to Configure > Routing > click Add.

Configure according to the following parameters:

  • Destination IP/ Netmask*: Enter the subnet of the head office as 10,145.41.0/24
  • Gateway: Enter the IP of the xfrm1 port of the branch office site as 1.1.1.1
  • Interface: select the port xfrm1-1.1.1.2 that we just configured.
  • Click Save.
6.2.5.Tạo policy

Finally, we need to create a policy that allows traffic to flow between the two sites.

Configure the Policy according to the following parameters:

  • Rule Status: ON
  • Rule name*: VPN_XG2_TO_XG1
  • Action: Accept
  • Rule Position: Top
  • Rule Group: None
  • Log firewall traffic: check on box
  • Source zones*: select LAN and VPN
  • Source networks and devices: select 2 profile Local and Remote
  • During scheduled time: select All the time
  • Destination zones*: select LAN and VPN
  • Destination network*: select 2 profile Local and Remote
  • Service*: select Any
  • Click Save

6.3.Result

After completing the configuration we need to enable the IPSec VPN Connection connection at the branch office site.

To enable go to CONFIGURE > VPN > IPSec connections.

Click the circle icon in the Active column and the Connection column.

When these 2 icons turn green, the VPN connection between the two sites has been established.

After successful connection, you will see that both xfrm1 ports on the two Sophos Firewall devices are in the Connected state.

Finally, we will check if the subnets can ping each other.

At the head office site, techbast has prepared a server with IP 10.145.41.11/24.

At the branch office site, techbast has prepared a server with IP 10.146.41.100/24.

We will perform a ping command between two servers.

Stand on a server with IP 10.145.41.11/24 ping to 10.146.41.100/24. Successful ping result.

In contrast, standing on the server IP 10.146.41.100/24 pings to 10.145.41.11/24. Successful ping result.

Next, we will use the tracert command to know the path of the packet between the two sites.

Stand on server IP 10.145.41.11/24 tracert to server IP 10.146.41.100/24.

The result we see is that the packet went to server 10.146.41.100 through port xfrm1 with IP 1.1.1.2 on the Sophos Firewall device at the branch office site.

On the contrary, stand on server IP 10.146.41.100/24 tracert to server IP 10.145.41.11/24.

The result we see is that the packet went to server 10.145.41.11 through port xfrm1 with IP 1.1.1.1 on the Sophos Firewall device at the head office site.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.