How to configure IPSec VPN between two Sophos devices when both devices are behind another Sophos device

1.The purpose of the article

In this article techbast will show you how to configure IPSec VPN Site to site between two Sophos Firewall devices when both devices are behind another Sophos Firewall device.

2.Diagram

Details:

Head Office:

  • At the head office site we will have an external and internal firewall model with 2 devices Sophos Firewall 1 is the external firewall and Sophos Firewall 2 is the internal firewall.
  • The internet connection is connected at Port 2 of Sophos Firewall 1 device with IP 10,150.30.106.
  • The LAN network of the Sophos Firewall 1 device is configured at Port 1 with IP 192.168.20.1/24 and has DHCP configured to allocate to devices connected to it.
  • At Sophos Firewall 2 WAN port will be Port 2 and it will be connected to Port 1 of Sophos Firewall 1, Port 2 on Sophos Firewall 2 is set static IP as 192.168.20.100/24.
  • Sophos Firewall 2’s LAN is configured at Port 1 with IP 10.146.41.1/24 and has DHCP configured.

Branch office:

  • At the branch office site we also have an external and internal firewall model with 2 devices Sophos Firewal 3 is the external firewall and Sophos Firewall 4 is the internal firewal.
  • The internet connection is connected at Port 2 of Sophos Firewall 3 device with IP 10.150.30.125.
  • The LAN network of the Sophos Firewall 3 device is configured at Port 1 with IP 192.168.10.1/24 and has DHCP configured to allocate to devices connected to it..
  • At Sophos Firewall 4 WAN port will be Port 2 and it will be connected to Port 1 of Sophos Firewall 3, Port 2 on Sophos Firewall 4 is set static IP as 192.168.10.100/24.
  • Sophos Firewall 4’s LAN is configured at Port 1 with IP 172.16.16.16/24 and has DHCP configured.

3.Scenario

Based on the above diagram, we will configure IPSec VPN Site to site between the Sophos Firewall 2 device at the Head Office site and the Sophos Firewall 4 device at the Branch Office site so that both LANs of the two sites can communicate with each other.

4.What to do

Sophos Firewall 1:

  • Create profile for IPSec service.
  • Create Profile for IP WAN of Sophos Firewall 2.
  • Implement NAT IP WAN of Sophos Firewall 2 with IPSec service to internet.

Sophos Firewall 2:

  • Create profiles for Local and Remote subnet.
  • Create IPSec connection.
  • Create a policy to allow traffic between 2 zones LAN and VPN.
  • Enable PING and HTTPS services on VPN zone.

Sophos Firewall 3:

  • Create profile for IPSec service.
  • Create Profile for IP WAN of Sophos Firewall 4.
  • Implement NAT IP WAN of Sophos Firewall 4 with IPSec service to internet.

Sophos Firewall 4:

  • Create profiles for Local and Remote subnet.
  • Create IPSec connection.
  • Create a policy to allow traffic between 2 zones LAN and VPN.
  • Enable PING and HTTPS services on VPN zone.

Kiểm tra kết quả.

5.Configuration.

5.1.Sophos Firewall 1.

5.1.1.Create profile for IPSec service

The IPSec VPN Site to site connection will use the UDP 500 and UDP 4500 ports

We need to create profiles for these two services.

To create, go to SYSTEM > Hosts and services > Services > click Add.

Create with the following parameters:

  • Name*: IPSec S2S VPN
  • Type*: select TCP/UDP.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 500
  • Press the + icon to add 1 row.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 4500.
  • Click Save.

5.1.2.Create profile for IP WAN of Sophos Firewall 2.

To create go to SYSTEM > Hosts and services > IP Host > Click Add.

Create with the following information:

  • Name *: Sophos Firewall 2.
  • IP version *: select IPv4.
  • Type *: select IP.
  • IP address *: Enter Sophos Firewall 2’s WAN IP as 192.168.20.100.
  • Click OK.

5.1.3.Implement NAT IP WAN of Sophos Firewall 2 with IPSec service to internet.

To NAT we go to PROTECT > Rules and policies > Add firewall rule > Server access assistant [DNAT].

After clicking on Server access assistant [DNAT] a configuration panel pops up.

In the Internal server IP address we tick Select IP host and select Sophos Firewall 2 – 192.168.20.100 from the drop-down list.

Click Next.

In Public IP address check Select public IP address or WAN interface and select #Port 2 – 10.150.30.106 from the drop-down list.

Click Next.

In Service, click Add new item and select IPSec S2S VPN profile.

Click Next.

In External source networks or devices, keep the Any option and click Next.

The last step is to review the previously selected options, if you have chosen correctly, click Save and finish to complete.

5.2.Sophos Firewall 2

5.2.1.Create profile for Local and Remote subnet

We will create profiles for the Local and Remote subnet.

To create, go to SYSTEM > Hosts and Services > IP Host > click Add.

Create a profile for the Local subnet with the following parameters:

  • Name*: SF2_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 10.146.41.0 Subnet /24[255.255.255.0]
  • Click Save.

Similar to the above steps, we will create a profile for the Remote subnet according to the following parameters:

  • Name*: SF4_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 172.16.16.0 Subnet /24[255.255.255.0].
  • Click Save.

5.2.2.Create IPSec connection

To create us go to CONFIGURE > VPN > IPSec connections > click Add.

In General, we configure with the following parameters:

  • Name: VPN_SF2_TO_SF4.
  • IP version: IPv4.
  • Connection type: Site-to-site.
  • Gateway type: Respond only.
  • Active on save: uncheck.
  • Create firewall rule: uncheck.

In Encryption we configure with the following parameters:

  • Policy: select IKEv2.
  • Authentication type: select Preshared key.
  • Preshared key: enter the connection password.
  • Repeat preshared key: re-enter the connection password.

In Gateway settings we configure the following parameters:

Local Gateway:

  • Listening interface: select Port2 – 192.168.20.100.
  • Local ID type: select IP address.
  • Local ID: type 192.168.20.100.
  • Local subnet: select profile SF2_LAN.

Remote Gateway:

  • Gateway address: Enter Sophos Firewall 3’s WAN IP as 10.150.30.125.
  • Remote ID type: select IP address.
  • Remote ID: type 192.168.10.100.
  • Remote subnet: select profile SF4_LAN.

Click Save.

After clicking Save, the IPSec connection will be created as shown below.

However, this connection is still not enabled, to turn it on, click the circle icon in the Active column and click OK.

Now the circle icon in the Active column turns green, which means that the connection has been successfully turned on.

5.2.3.Create a policy to allow traffic between 2 zones LAN and VPN.

By default, the firewall will block all traffic between zones.

So we need to create a policy to allow traffic between the two LAN zones and the VPN.

To create, go to PROTECT > Rules and policies > Add firewall rule and create a policy as shown below.

Click Save.

5.2.4.Enable PING và HTTPS services in the VPN zone.

By default, the VPN zone will turn off all services.

To enable go to SYSTEM > Administration > Device Access.

Select 2 HTTPS and Ping / Ping6 services in the VPN zone row and click Apply to save.

5.3.Sophos Firewall 3.

5.3.1.Create profile for IPSec service

The IPSec VPN Site to site connection will use the UDP 500 and UDP 4500 ports.

We need to create profiles for these two services.

To create, go to SYSTEM > Hosts and services > Services > click Add.

Create with the following parameters:

  • Name*: IPSec S2S VPN
  • Type*: select TCP/UDP.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 500
  • Press the + icon to add 1 row.
  • Protocol: select UDP.
  • Source port: 1:65535.
  • Destination port: 4500.
  • Click Save.

5.1.2.Create profile for IP WAN of Sophos Firewall 4.

To create go to SYSTEM > Hosts and services > IP Host > Click Add.

Create with the following information:

  • Name*: Sophos Firewall 4.
  • IP version*: select IPv4.
  • Type*: select IP.
  • IP address*: Enter Sophos Firewall 4’s WAN IP as 192.168.10.100.
  • Click Save.

5.1.3.Implement NAT IP WAN of Sophos Firewall 4 with IPSec service to internet .

To NAT we go to PROTECT > Rules and policies > Add firewall rule > Server access assistant [DNAT].

After clicking on Server access assistant [DNAT] a configuration panel pops up.

In the Internal server IP address we tick Select IP host and select Sophos Firewall 4 – 192.168.10.100 from the drop-down list.

Click Next.

In Public IP address check Select public ip address or WAN interface and select #Port 2 – 10.150.30.125 from the drop-down list.

Click Next.

In Service, click Add new item and select IPSec S2S VPN profile.

Click Next.

In External source networks or devices, keep the Any option and click Next.

The last step is to review the previously selected options, if you have chosen correctly, click Save and Finish to complete.

5.4.Sophos Firewall 4

5.4.1.Create profile for Local and Remote subnet

We will create profiles for the Local and Remote subnet.

To create, go to SYSTEM > Hosts and Services > IP Host > click Add.

Create a profile for the Remote subnet with the following parameters:

  • Name*: SF2_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 10.146.41.0 Subnet /24[255.255.255.0]
  • Click Save.

Similar to the above steps, we will create a profile for the Local subnet according to the following parameters:

  • Name*: SF4_LAN.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 172.16.16.0 Subnet /24[255.255.255.0].
  • Nhấn Save để lưu.

5.2.2.Create IPSec connection

To create us go to CONFIGURE > VPN > IPSec connections > click Add.

In General we configure with the following parameters:

  • Name: VPN_SF4_TO_SF2.
  • IP version: IPv4.
  • Connection type: Site-to-site.
  • Gateway type: Initiate the connection.
  • Active on save: uncheck.
  • Create firewall rule: uncheck.

In Encryption we configure with the following parameters:

  • Policy: select IKEv2.
  • Authentication type: select Preshared key.
  • Preshared key: enter the connection password.
  • Repeat preshared key: re-enter the connection password.

In Gateway settings we configure the following parameters:

Local Gateway:

  • Listening interface: select Port2 – 192.168.10.100.
  • Local ID type: select IP address.
  • Local ID: type 192.168.10.100.
  • Local subnet: select profile SF4_LAN.

Remote Gateway:

  • Gateway address: Enter Sophos Firewall 1’s WAN IP as 10.150.30.106.
  • Remote ID type: select IP address.
  • Remote ID: type 192.168.20.100.
  • Remote subnet: select profile SF2_LAN.

Click Save.

After clicking Save, the IPSec connection will be created as shown below.

However, this connection is still not enabled, to turn it on, click the circle icon in the Active column and click OK.

Now the circle icon in the Active column turns green, which means that the connection has been successfully turned on.

After successfully turning on the connection, the IPSec connection on Sophos Firewall 4 will automatically send a signal to Sophos Firewall 2 to establish an IPSec VPN Site to site connection between the two devices.

At this point, the circle icon in the Connection column turns green, indicating that an IPsec connection between the two devices has been established.

At Sophos Firewall 2, the circle icon in the Connection column will also turn green.

5.2.3.Enable PING và HTTPS services in the VPN zone.

By default, the firewall will block all traffic between zones.

So we need to create a policy to allow traffic between the two LAN zones and the VPN.

To create, go to PROTECT > Rules and policies > Add firewall rule and create a policy as shown below.

Click Save.

5.2.4.Enable PING and HTTPS services on VPN zone.

By default, the VPN zone will turn off all services.

To enable go to SYSTEM > Administration > Device Access.

Select 2 HTTPS and Ping / Ping6 services in the VPN zone row and click Apply to save.

5.4.Result.

Techbast will use 1 computer at each site to ping each other to check the results.

At the Head Office site techbast has prepared a Windows 10 computer with IP 10.146.41.100/24 and at the Branch Office site has also prepared a Windows 10 computer with IP 172.16.16.17/24.

The ping results from the computer at the Head Office with IP 10.146.41.100/24 to the computer at the Branch Office with the IP 172.16.16.17.

Successful ping result.

The ping results from a computer at Branch Office with IP 172.16.16.17/24 to a computer at Head Office with IP 10.146.41.100/24.

Successful ping result.

So techbast has shown you how to configure IPSec VPN between two Sophos devices when these two devices are behind another Sophos device.

Thank you for reading the article, if you have any questions about the configuration, you can leave a comment below.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.