How to configure IPSec VPN between Sophos and Palo Alto when the Sophos device is behind another Sophos device

1.The purpose of the article

In this article, techbast will show you how to configure IPSec VPN Site to site between Sophos Firewall device and Palo Alto with Sophos device behind another Sophos Firewall device.

2.Diagram

Details:

Head Office:

  • At the head office site we will have an external and internal firewall model with 2 devices Sophos Firewall 1 is the external firewall and Sophos Firewall 2 is the internal firewall.
  • The internet connection is connected at Port 2 of Sophos Firewall 1 device with IP 192.168.2.111.
  • The LAN network of the Sophos Firewall 1 device is configured at Port 1 with IP 10.145.41.1/24 and has DHCP configured to allocate to devices connected to it.
  • At Sophos Firewall 2 WAN port will be Port 2 and it will be connected to Port 1 of Sophos Firewall 1, Port 2 on Sophos Firewall 2 is set static IP as 10,145.41.50/24.
  • Sophos Firewall 2’s LAN is configured at Port 1 with IP 10.146.41.1/24 and has DHCP configured.

Branch office:

  • The internet connection is connected at ethernet port1/1 of Palo Alto firewall device with IP 192.168.2.115.
  • The LAN is configured at ethernet1/2 port with IP 172.16.16.16/24 and has DHCP configured to allocate IPs to connected devices.

3.Scenario

Based on the above diagram, we will configure IPSec VPN Site to site between Sophos Firewall 2 device at Head Office site and Palo Alto Firewall 3 device at Branch Office site so that both LANs of 2 sites can communicate with each other.

4.What to do

Sophos Firewall 1:

  • Create a profile for the IPSec service.
  • Create Profile for Sophos Firewall 2’s WAN IP.
  • Implement NAT IP WAN of Sophos Firewall 2 with IPSec service to internet.

Sophos Firewall 2:

  • Create profiles for Local and Remote subnet.
  • Create IPSec policy.
  • Create IPSec connection.
  • Create policy to allow traffic between 2 zones LAN and VPN.
  • Enable PING and HTTPS services on VPN zone.

Palo Alto Firewall:

  • Create VPN zone.
  • Create Address Object.
  • Create tunnel interface.
  • Create Virtual Routers.
  • Create IKE Crypto.
  • Create IPSec Crypto.
  • Create IKE Gateways.
  • Create IPSec Tunnels.
  • Create policy.

Result.

5.Configuration.

5.1.Sophos Firewall 1.

5.1.1.Tạo profile cho IPSec service

The IPSec VPN Site to site connection will use the UDP 500 and UDP 4500 ports.

We need to create profiles for these 2 services.

To create, go to SYSTEM > Hosts and services > Services > click Add.

Create with the following parameters:

  • Name*: IPSec S2S VPN
  • Type*: select TCP/UDP.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 500
  • Press the + icon to add 1 row.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 4500.
  • Click Save.

5.1.2.Create a profile for Sophos Firewall’s WAN IP 2.

To create go to SYSTEM > Hosts and services > IP Host > Click Add.

Create with the following information:

  • Name*: Sophos Firewall 2.
  • IP version*: select IPv4.
  • Type*: select IP.
  • IP address*: Enter Sophos Firewall 2’s WAN IP as 10,145.41.50.
  • Click Save.

5.1.3.Implement NAT IP WAN of Sophos Firewall 2 with IPSec service to the internet.

To NAT we go to PROTECT > Rules and policies > Add firewall rule > Server access assistant [DNAT].

After clicking on Server access assistant [DNAT] a configuration panel pops up.

In the Internal server IP address we tick Select IP host and select Sophos Firewall 2 – 10.145.41.50 from the drop-down list.

Click Next.

In Public IP address check Select public ip address or WAN interface and select #Port 2 – 192.168.2.111 from the drop-down list.

Click Next.

In Service, click Add new item and select IPSec S2S VPN profile.

Click Next.

In External source networks or devices, keep the Any option and click Next.

The last step is to review the previously selected options, if you have selected the correct one, click Save and finish to complete.

5.2.Sophos Firewall 2

5.2.1.Create profiles for Local and Remote subnet

We will create profiles for Local and Remote subnet.

To create, go to SYSTEM > Hosts and Services > IP Host > click Add.

Create a profile for the Local subnet with the following parameters:

  • Name*: SF2_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 10.146.41.0 Subnet /24[255.255.255.0]
  • Click Save.

Similar to the above steps, we will create a profile for the Remote subnet according to the following parameters:

Name*: PA_LAN.

IP version*: IPv4.

Type*: Network.

IP address*: 172.16.16.0 Subnet /24[255.255.255.0]

Click Save.

5.2.2.Create IPSec policy

Because this is an IPSec VPN connection between two different devices, we need to create a common IPSec policy for both devices.

To create IPSec policies go to CONFIGURE > VPN > IPSec policies > Click Add.

Create an IPSec policy with the following parameters.

General settings:

  • Name: VPN_S2S_PaloAlto.
  • Key exchange: IKEv2.
  • Authentication mode: Main mode
  • Tick Re-key connection.

Phrase 1:

  • Key life: 5400.
  • Re-key margin: 360.
  • Randomize re-keying margin by: 50.
  • DH group (key group): 2 (DH1024).
  • Encryption: AES256.
  • Authentication: SHA2 256.

Phrase 2:

  • PFS group (DH group): None.
  • Key life: 3600.
  • Encryption: AES128.
  • Authentication: SHA2 256.

Dead Peer Detection:

  • Dead Peer Detection: tick.
  • Check peer after every: 30.
  • Wait for response up to: 120.
  • When peer unreachable: Re-initiate.

Click Save.

5.2.3.Create IPSec connection

To create go to CONFIGURE > VPN > IPSec connections > click Add.

In General we configure with the following parameters:

  • Name: VPN_SOPHOS_TO_PA.
  • IP version: IPv4.
  • Connection type: Site-to-site.
  • Gateway type: Respond only.
  • Active on save: uncheck.
  • Create firewall rule: uncheck.

In Encryption we configure with the following parameters:

  • Policy: select VPN_S2S_PaloAlto from drop-down list.
  • Authentication type: select Preshared key.
  • Preshared key: enter Preshared key.
  • Repeat preshared key: re-enter Preshared key.

In Gateway settings we configure the following parameters:

Local Gateway:

  • Listening interface: select Port2 – 10.145.41.50.
  • Local ID type: select IP address.
  • Local ID: enter 10.145.41.50.
  • Local subnet: enter profile SF2_LAN.

Remote Gateway:

  • Gateway address: Enter Palo Alto firewall’s WAN IP as 192.168.2.115.
  • Remote ID type: select IP address.
  • Remote ID: nhập 192.168.2.115.
  • Remote subnet: select profile PA_LAN.

Click Save.

After clicking Save, the IPSec connection will be created as shown below.

However, this connection is still not enabled, to turn it on, click the circle icon in the Active column and click OK.

Now the circle icon in the Active column turns green, which means that the connection has been successfully turned on.

5.2.4.Create policy to allow traffic between 2 zones LAN and VPN.

By default, the firewall will block all traffic between zones.

So we need to create a policy to allow traffic to go back and forth between the LAN and VPN zones.

To create, go to PROTECT > Rules and policies > Add firewall rule and create a policy as shown below.

Click Save.

5.2.5.Enable PING and HTTPS services on VPN zone.

By default, the VPN zone will turn off all services.

To enable go to SYSTEM > Administration > Device Access.

Select 2 HTTPS and Ping/Ping6 services at VPN zone.

5.3.Palo Alto Firewall

5.3.1.Create Zone

We need to create zones for VPN connections.

To create go to Network > Zones.

Click Add and create according to the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK.

Click Commit and OK to save the configuration changes.

5.3.2.Create Address Object

We will create the Address Object for the 2 LAN subnets of Palo Alto and Sophos devices.

To create go to Object > Addresses.

Click Add and create according to the following parameters.

Palo Alto LAN:

  • Name: PA_LAN
  • Type: IP Netmask – 172.16.16.0/24
  • Click OK.

Sophos Firewall 2 LAN:

  • Name: SF2_LAN.
  • Type: IP Netmask – 10.146.41.0/24.
  • Click OK.

5.3.3.Create Interface Tunnel

To create go to Network > Interface > Tunnel.

Click Add and create according to the following information:

  • Interface Name: tunnel – 2
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK.

5.3.4.Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers > click Add and configure according to the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select the ports ethernet1/2 (LAN port), ethernet1/1 (internet port) and tunnel.2 (the tunnel used to connect VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: Route-1
  • Destination: SF2_LAN
  • Interface: tunnel.2
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.3.5.Create IKE Crypto

We will create IKE Crypto ie Phrase 1 for VPN connection.

To create, go to Network > IKE Crypto click Add and create according to the following information:

  • Name: IKE_Crypto_Phrase1
  • DH Group: group2
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: Seconds – 5400
  • Click OK

Click Commit and OK to save the configuration changes.

5.3.6.Create IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: IPSec_Crypto_Phrase2
  • IPSec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha256
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK.

Click Commit and OK to save the configuration changes.

5.3.7.Create IKE Gateways

To create it go to Network > IKE Gateways and click Add.

Configure according to the following parameters.

Bảng General:

  • Name: IKE_Gateway
  • Version: IKEv2 only mode
  • Address Type: IPv4
  • Interface: ethernet1/1 (Palo Alto’s WAN port)
  • Local IP Address: None
  • Peer Address: Enter Sophos Firewall 1’s WAN IP as 192.168.2.111
  • Authentication: Pre-shared Key
  • Pre-shared key: enter the connection password (this password must be the same as the one set on Sophos)
  • Confirm Pre-shared key: re-enter the connection password.
  • Local Identification: select IP address – enter 192.168.2.115.
  • Peer Identification: select IP address – Enter Sophos Firewall 2’s WAN IP as 10.145.41.50

Bảng Advanced Options:

  • IKE Crypto Profile: select IKE_Crypto_Phrase1
  • Click OK.

Click Commit and OK to save the configuration changes.

5.3.8.Create IPSec Tunnels

Now we will start creating a VPN connection with the Sophos Firewall device.

To create it go to Network > IPSec Tunnels and click Add.

Create with the following information.

Tab General:

  • Name: VPN_PA_TO_SOPHOS
  • Tunnel Interface: tunnel.2
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: IKE_Gateway
  • IPSec Crypto Profile: IPSec_Crypto_Phrase2

Tab Proxy IDs:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 172.16.16.0/24
  • Remote: 10.146.41.0/24
  • Protocol: Any
  • Click OK 2 times.

Click Commit and OK to save the configuration changes.

5.3.9.Create Policy

We need to create a policy that allows traffic from Palo Alto’s LAN subnet to pass through the Sophos Firewall’s LAN subnet and vice versa.

To create a policy go to Policies > Security and click Add.

Create a policy that allows traffic from Palo Alto’s LAN subnet to pass through the Sophos Firewall’s LAN subnet with the following information:

Tab General:

  • Name: LAN_TO_VPN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select Trust-Layer3 (This is the zone of the LAN layer)
  • Source Address: Click Add and select PA_LAN (PA_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: SF2-LAN (this is the Address Object created initially)

Tab Action:

  • Action: select Allow.
  • Click OK.

Next we will click Add and create a policy that allows traffic to go from Sophos Firewall’s LAN subnet to Palo Alto’s LAN subnet with the following information:

Tab General:

  • Name: VPN_TO_LAN
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: press Add and select VPN
  • Source Address: Click Add and select SF2_LAN (SF2_LAN is the Address Object we created earlier)

Tab Destination:

  • Destination Zone: Trust-Layer3 (Zone of the LAN layer)
  • Destination Address: PA-LAN (this is the Address Object created at the beginning)

Tab Action:

  • Action: select Allow.
  • Click OK.

5.4.Result.

On the Palo Alto device, after creating the IPSec tunnels connection, the connection will be listed as shown below.

We pay attention to the Status column, we see that the network port icon is green, meaning this IPSec connection has been Enabled.

To enable IPSec connection between two devices, go to Sophos Firewall > CONFIGURE > VPN > IPSec connections.

We pay attention to the circle icon in the Connection column of the IPSec VPN connection we created earlier, which is red, meaning the connection has not been established to the Palo Alto firewall device.

To activate, left-click on the circle icon in the Connection column and click Yes.

This circle icon will turn green, which means we have successfully activated the IPSec VPN connection between the two devices.

On the Palo Alto firewall device, we will also see 2 circular icons in the 2 Status columns, both of which turn green.

To test the communication between the two LAN layers of each site with each other, techbast will use 1 computer at each site to ping each other to check the results.

At the Head Office site techbast has prepared a server with IP 10.146.41.10/24 and at the Branch Office site has prepared a Windows 10 machine with IP 172.16.16.50/24.

Ping result from IP server 10.146.41.10/24 to Windows 10 machine.

Successful ping result.

Ping result from Windows 10 machine IP 172.16.16.50 to server.

Successful ping result.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.