Sophos XG: How to configure IPSec VPN Site to Site between Sophos XG and SonicWall

Overview

This article describes how to configure a site-to-site IPsec VPN tunnel between the Sophos XG Firewall and SonicWall firewall, using a pre-shared key to authenticate VPN peers

Diagram

How to configure

On Sophos XG

  • Go to System -> Choose Hosts and services -> Choose IP host -> Click Add to create a subnet Sophos LAN
  • Enter Name
  • In IP version: Choose IPv4
  • In Type: Choose Network
  • In IP address: Enter 172.16.16.0/24

-> Click Save

  • Click Add to create a subnet SonicWall LAN
  • Create IPSec VPN policy Sophos and SonicWall
  • Go to Configure -> Choose VPN -> Choose IPSec policies -> Click Add
  • Enter name
  • In Key exchange: Choose IKEv2
  • In Authentication mode: Choose Main mode
  • In Key negotiation tries: Enter 0
  • Choose Re-key connection
  • In Phase 1
  • In Key life: Enter 28800
  • In Re-key margin: Enter 360
  • In Randomize re-keying margin by: Enter 100
  • In DH group: Enter 14 (DH 2048)
  • In Encryption: Choose 3DES
  • In Authentication: Choose MD5
  • In Phase 2
  • In PFS group (DH group): Choose Same as phase-I
  • In Key life: Enter 28800
  • In Encryption: Choose Phase 1
  • In Authentication: Choose Phase 1
  • In Dead Peer Detection: Set default

-> Click Save

  • Create IPSec VPN connection Sophos XG and SonicWall
  • Go to Configure -> Choose VPN -> Choose IPSec connections -> Click Add
  • Enter name
  • In IP version: Choose IPv4
  • In Connection type: Choose Site-to-site
  • In Gateway type: Choose Initiate the connection
  • Choose Active on save and Create firewall rule
  • In Policy: Choose policy between Sophos XG and SonicWall which was created before
  • In Authentication type: Choose Preshared key
  • Enter Preshared key
  • In Local gateway
  • In Listening interface: Choose WAN port of Sophos XG
  • In Local subnet: Choose subnet Sophos LAN
  • In Remote gateway
  • In Gateway address: Enter IP WAN of SonicWall
  • In Remote subnet: Choose subnet SonicaWall LAN
  • In User authentication mode: Choose None

-> Click Save

On SonicWall

  • Create Local network
  • Enter name
  • In Zone Assignment: Choose VPN
  • In Type: Choose Network
  • In Network: Enter subnet LAN of SonicWall
  • In Netmask/Prefix Length: Enter netmask of LAN subnet
  • Create Remote network
  • Enter name
  • In Zone Assignment: Choose VPN
  • In Type: Choose Network
  • In Network: Enter LAN subnet of Sophos
  • In Netmask/Prefix Length: Enter netmask of LAN subnet
  • Go to VPN -> Choose Settings ->Enable VPN
  • In Unique Firewall Identifier: Enter serial of SonicWall device
  • In tab General
  • Create VPN policies -> Click Add
  • In Policy Type: Choose Site to Site
  • In Authentication Method: Choose IKE using Preshared Secret
  • In Name: Enter name
  • In IPsec Primary Gateway Name or Address: Enter IP WAN of Sophos
  • In Shared Secret: Enter Preshared key
  • In Local IKE ID: Choose IPv4
  • In Peer IKE ID: Choose IPv4
  • In tab Network
  • In Choose local network from list: Choose SonicWall LAN subnet
  • In Choose destination network from list: Choose Sophos LAN subnet
  • In tab Proposals
  • In Exchange: Choose IKE v2 Mode
  • In DH Group: Choose Group 14
  • In Encryption: Choose 3DES
  • In Authentication: Choose MD5
  • In Life Time (seconds): Enter 28800
  • In Protocol: Choose ESP
  • In Encryption: Choose 3DES
  • In Authentication: Choose MD5
  • In Life Time (seconds): Enter 28800
  • In tab Advanced
  • In Enable Windows Networking (NetBIOS) Broadcast
  • In WXA Group: Choose None
  • In Default LAN Gateway (optional): Enter 0.0.0.0
  • In VPN Policy bound to: Choose Zone WAN
  • Check the result on Sophos XG
  • Check the result on SonicWall
  • Test ping

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.