How to configure IPSec VPN Site-to-site between two Sophos devices when one of them is behind another Sophos device

1.The purpose of the article

In this article techbast will show you how to configure IPSec VPN Site to site between 2 Sophos Firewall devices with one of the 2 devices behind another Sophos Firewall device.

2.Diagram

Details:

Head Office:

  • At the head office site we will have an external and an internal firewall model with 2 devices Sophos Firewall 1 is the external firewall and Sophos Firewall 2 is the internal firewall.
  • The internet connection is connected at Port 2 of Sophos Firewall 1 device with IP 192.168.2.111.
  • The LAN network of the Sophos Firewall 1 device is configured at Port 1 with IP 10.145.41.1/24 and has DHCP configured to allocate to devices connected to it.
  • At Sophos Firewall 2 WAN port will be Port 2 and it will be connected to Port 1 of Sophos Firewall 1, Port 2 on Sophos Firewall 2 is set static IP as 10,145.41.50/24.
  • Sophos Firewall 2’s LAN is configured at Port 1 with IP 10.146.41.1/24 and has DHCP configured.

Branch office:

  • The internet connection is connected at Port 2 of Sophos Firewall 3 device with IP 192.168.2.112.
  • The LAN is configured at Port 1 with IP 172.16.16.16/24 and configured with DHCP to allocate IPs to connected devices.

3.Scenario

Based on the above diagram, we will configure the IPSec VPN Site-to-site between Sophos Firewall 2 device at Head Office site and Sophos Firewall 3 device at Branch Office site so that both LANs of 2 sites can communicate with each other.

4.Step to take

Sophos Firewall 1:

  • Create profile for IPSec service.
  • Create Profile for Sophos Firewall 2’s WAN IP.
  • Implement NAT IP WAN of Sophos Firewall 2 with IPSec service to the internet.

Sophos Firewall 2:

  • Create profiles for Local and Remote subnet.
  • Create IPSec connection.
  • Create a policy to allow traffic between 2 zones LAN and VPN.
  • Enable PING and HTTPS services on VPN zone.

Sophos Firewall 3:

  • Create profiles for Local and Remote subnet.
  • Create IPSec connection.
  • Create a policy to allow traffic between 2 zones LAN and VPN.
  • Enable PING and HTTPS services on VPN zone.

Result.

5.Configuration.

5.1.Sophos Firewall 1.

5.1.1.Create profile for IPSec service

The IPSec VPN Site to site connection will use the ports UDP 500 and UDP 4500.

We need to create profiles for these two services.

To create, go to SYSTEM > Hosts and services > Services > click Add.

Create with the following parameters:

  • Name*: IPSec S2S VPN
  • Type*: select TCP/UDP.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 500
  • Press the + icon to add 1 row.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 4500.
  • Click Save.

5.1.2.Create Profile for Sophos Firewall 2’s WAN IP.

To create go to SYSTEM > Hosts and services > IP Host > Click Add.

Create with the following information:

  • Name*: Sophos Firewall 2.
  • IP version*: select IPv4.
  • Type*: select IP.
  • IP address*: Enter Sophos Firewall 2’s WAN IP as 10,145.41.50.
  • Click Save.

5.1.3.Implement NAT IP WAN of Sophos Firewall 2 with IPSec service to the internet. .

To NAT we go to PROTECT > Rules and policies > Add firewall rule > Server access assistant [DNAT].

After clicking on Server access assistant [DNAT] a configuration panel pops up.

In the Internal server IP address we tick Select IP host and select Sophos Firewall 2 – 10.145.41.50 from the drop-down list.

Click Save.

Under Public IP address, select Select public ip address or WAN interface and select #Port 2 – 192.168.2.111 from the drop-down list.

Click Next.

In Service, click Add new item and select IPSec S2S VPN profile.

Click Next.

In External source networks or devices, keep the Any option and click Next.

The last step is to review the previously selected options, if you have chosen correctly, click Save and finish to complete.

5.2.Sophos Firewall 2

5.2.1.Create profiles for Local and Remote subnet

We will create profiles for the Local and Remote subnet.

To create, go to SYSTEM > Hosts and Services > IP Host > click Add.

Create a profile for the Local subnet with the following parameters:

  • Name*: SF2_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 10.146.41.0 Subnet /24[255.255.255.0]
  • Click Save.

Similar to the above steps, we will create a profile for the Remote subnet according to the following parameters:

Name*: SF3_LAN.

IP version*: IPv4.

Type*: Network.

IP address*: 172.16.16.0 Subnet /24[255.255.255.0]

Click Save.

5.2.2.Create IPSec connection

To create us go to CONFIGURE > VPN > IPSec connections > click Add.

In General we configure with the following parameters:

  • Name: SF2_TO_SF3.
  • IP version: IPv4.
  • Connection type: Site-to-site.
  • Gateway type: Respond only.
  • Active on save: uncheck.
  • Create firewall rule: uncheck.

In Encryption we configure with the following parameters:

  • Policy: select IKEv2.
  • Authentication type: select Preshared key.
  • Preshared key: enter the connection password.
  • Repeat preshared key: re-enter the connection password.

In Gateway settings we configure the following parameters:

Local Gateway:

  • Listening interface: select Port2 – 10.145.41.50.
  • Local ID type: select IP address.
  • Local ID: enter 10.145.41.50.
  • Local subnet: select profile SF2_LAN.

Remote Gateway:

  • Gateway address: Enter Sophos Firewall 3’s WAN IP as 192.168.2.112.
  • Remote ID type: select IP address.
  • Remote ID: enter 192.168.2.112.
  • Remote subnet: select profile SF3_LAN.

Click Save.

After clicking Save, the IPSec connection will be created as shown below.

However, this connection is still not enabled, to turn it on, click the circle icon in the Active column and click OK.

At this point, the circle icon in the Active column turns green, which means that the connection has been successfully turned on.

5.2.3.Create a policy to allow traffic between 2 zones LAN and VPN.

By default, the firewall will block all traffic between zones.

So we need to create a policy to allow traffic between the two LAN zones and the VPN.

To create, go to PROTECT > Rules and policies > Add firewall rule and create a policy as shown below.

Click Save.

5.2.4.Enable PING and HTTPS services on VPN zone.

By default, the VPN zone will turn off all services.

To enable go to SYSTEM > Administration > Device Access.

Select 2 HTTPS and Ping / Ping6 services in the VPN zone row and click Apply to save.

5.3.Sophos Firewall 3

5.3.1.Create profiles for Local and Remote subnet.

We will create profiles for the Local and Remote subnet.

To create, go to SYSTEM > Hosts and Services > IP Host > click Add.

Create a profile for the Local subnet with the following parameters:

  • Name*: SF3_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 172.16.16.0 Subnet /24[255.255.255.0]
  • Click Save.

Similar to the above steps, we will create a profile for the Remote subnet according to the following parameters:

Name*: SF2_LAN.

IP version*: IPv4.

Type*: Network.

IP address*: 10.146.41.0 Subnet /24[255.255.255.0]

Click Save.

5.3.2.Create IPSec connection

To create us go to CONFIGURE > VPN > IPSec connections > click Add.

In General we configure with the following parameters:

  • Name: SF3_TO_SF2.
  • IP version: IPv4.
  • Connection type: Site-to-site.
  • Gateway type: Initiate the connection.
  • Active on save: uncheck.
  • Create firewall rule: uncheck.

In Encryption we configure with the following parameters:

  • Policy: select IKEv2.
  • Authentication type: select Preshared key.
  • Preshared key: Enter the connection password.
  • Repeat preshared key: re-enter the connection password.
  • Note that the preshared entered must be the same as the preshared entered in Sophos Firewall 2.

In Gateway settings we configure the following parameters:

Local Gateway:

  • Listening interface: select Port2 – 192.168.2.112.
  • Local ID type: select IP address.
  • Local ID: enter 192.168.2.112.
  • Local subnet: select profile SF3_LAN.

Remote Gateway:

  • Gateway address: Enter Sophos Firewall 1’s WAN IP as 192.168.2.111.
  • Remote ID type: select IP address.
  • Remote ID: enter 10.145.41.50.
  • Remote subnet: select profile SF2_LAN.

Click Save.

After clicking Save, the IPSec connection will be created as shown below.

However, this connection is still not enabled, to turn it on, click the circle icon in the Active column and click OK.

At this point, the circle icon in the Active column turns green, which means that the connection has been successfully turned on.

After successfully turning on the connection, the IPSec connection on Sophos Firewall will automatically send a signal to Sophos Firewall 2 to establish an IPSec VPN Site to site connection between the two devices.

Now the circle icon in the Connection column turns green, indicating that an IPsec connection between the two devices has been formed.

At Sophos Firewall 2, the circle icon in the Connection column will also turn green.

5.3.3.Create a policy to allow traffic between 2 zones LAN and VPN.

By default, the firewall will block all traffic between zones.

So we need to create a policy to allow traffic between the two LAN zones and the VPN.

To create, go to PROTECT > Rules and policies > Add firewall rule and create a policy as shown below.

Click Save.

5.2.4. Enable PING and HTTPS services on VPN zone.

By default, the VPN zone will turn off all services.

To enable go to SYSTEM > Administration > Device Access.

Select 2 HTTPS and Ping / Ping6 services in the VPN zone row and click Apply to save.

5.4.Result.

Techbast will use 1 computer at each site to ping each other to check the results.

At the Head Office site techbast has prepared a server with IP 10.146.41.10/24 and at the Branch Office site has prepared a Windows 10 machine with IP 172.16.16.17/24.

Ping result from IP server 10.146.41.10/24 to Windows 10 machine.

Successful ping result.

Ping result from Windows 10 machine IP 172.16.16.17 to server.

Successful ping result.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.