Sophos Firewall: Instructions to fix the error that cannot sync users from AD over IPSec VPN Site to Site connection

1.The purpose of the article

In this article, Techbast will show you how to fix the error that cannot sync users from AD using IPSec VPN Site to Site connection on the Sophos Firewall device.

Techbast will guide you to fix this error in both cases IPSec Policy-Based VPN and IPSec Route-Based VPN.

2.IPSec Policy-Based VPN

2.1. Diagram

Details.

Sophos Firewall 1:

  • Sophos Firewall 1 device is connected to the internet at Port 2 and has a static IP of 192.168.15.201.
  • LAN subnet is set up at Port 1 with IP 10.145.41.1/24 and configured DHCP.
  • Finally, the AD Server in the LAN has IP 10,145.41.11/24.

Sophos Firewall 2:

  • Sophos Firewall 1 device is connected to the internet at Port 2 and has a static IP of 192.168.15.210.
  • LAN area is set up at Port 1 with IP 172.16.16.16/24 and configured DHCP.

Techbast has also established an IPSec Policy Based VPN connection between two Sophos Firewall 1 and Sophos Firewall 2 devices.

You can see the instructions for configuring IPSec Policy Based VPN here.

2.2.Scenario

In this model, we will get an error when using the Sophos Firewall 2 device to synchronize users from the AD Server at the Head Office through the established IPSec Policy Based VPN connection.

So techbast will show you how to fix this error so that we can use the Sophos Firewall 2 device to synchronize users from AD Server at Head Office through a VPN connection.

2.3.Configuration

To fix this we need to create an ipsec route and a source nat on the Sophos Firewall 2 device.

To configure we need to go to the command line interface of Sophos Firewall 2.

To enter we left-click on the admin account > click Console.

A new tab appears, we need to log in with the admin account.

After logging in we choose to press number 4 and press Enter to enter the Device Console.

Then we will create ipsec route with the following command.

system ipsec_route add host <IP of AD Server> tunnelname <Name of tunnel VPN>

The command to use in this case is .

system ipsec_route add host 10.145.41.11 tunnelname SF2_to_SF1

Then we use the command system ipsec_route show to check if the ipsec_route has been created.

Next we need to create the source nat, also at the device console we execute the following command.

set advanced-firewall sys-traffic-nat add destination <IP of AD Server> snatip <IP LAN of Sophos Firewall 2> 

The command to use in this case is:

set advanced-firewall sys-traffic-nat add destination 10.145.41.11 snatip 172.16.16.16

After the configuration is complete, you can use the show advanced-firewall command to check if the source has been created or not.

After configuring the above 2 command lines, we will perform the authentication again.

As you can see, we can now sync users from AD located at Head Office.

3.IPsec Route-Based VPN

3.1.Diagram

Details.

Sophos Firewall 1:

  • Sophos Firewall 1 device is connected to the internet at Port 2 and has a static IP 192.168.15.201.
  • LAN subnet is set up at Port 1 with IP 10.145.41.1/24 and configured DHCP.
  • Finally, the AD Server in the LAN has IP 10,145.41.11/24.

Sophos Firewall 2:

  • Sophos Firewall 1 device is connected to the internet at Port 2 and has a static IP 192.168.15.210.
  • The LAN subnet is set up at Port 1 with IP 172.16.16.16/24 and configured with DHCP.

Techbast has also established an IPSec Route-Based VPN connection between two Sophos Firewall 1 and Sophos Firewall 2 devices.

When setting up IPSec VPN according to Route-Based, there will be a VPN tunnel between the two devices and each end of the VPN tunnel will be a virtual gateway named xfrm1.

At Sophos Firewall 1 there will be port xfrm1 with IP 1.1.1.1/24 and at Sophos Firewall 2 will have port xfrm2 with IP 1.1.1.2/24.

Techbast has also implemented routing of network subnet so that the LAN subnet of the two sites can connect to each other.

You can see instructions for configuring IPSec Route-Based VPN here.

3.2.Scenario

In this model, we will get an error when using the Sophos Firewall 2 device to synchronize users from the AD Server at the Head Office through the established IPSec Policy Based VPN connection.

So Techbast will guide you how to fix this error so that we can use the Sophos Firewall 2 device to synchronize users from AD Server at Head Office through a VPN connection.

3.3.Configuration

To fix this we need to create a source nat on the Sophos Firewall 2 device.

To configure we need to go to the command line interface of Sophos Firewall 2.

To enter we left-click on the admin account > click Console.

A new tab appears, we need to log in with the admin account.

After logging in we choose to press number 4 and press Enter to enter the Device Console.

We will create source nat with the following command.

set advanced-firewall sys-traffic-nat add destination <IP of AD Server> snatip <IP LAN of Sophos Firewall 2> 

The command to use in this case is:

set advanced-firewall sys-traffic-nat add destination 10.145.41.11 snatip 172.16.16.16

After the configuration is complete, you can use the show advanced-firewall command to check if the source has been created or not.

After we have configured the above command line, we will perform the authentication again.

As you can see, we can now sync users from AD located at Head Office.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.