How to configure IPsec VPN Site to site between two Sophos Firewall devices using SD-WAN VPN Orchestration

1.The purpose of the article.

This article will show you how to configure IPsec VPN Site to site between two Sophos Firewall devices using the SD-WAN VPN Orchestration feature.

2.What is SD-WAN VPN Orchestration?

SD-WAN VPN Orchestration is a new feature on Sophos Central that allows easily manage IPsec VPN connections from Sophos Central. This feature automatically configures tunnels and access rules between two or more firewalls quickly and easily saving administrators time.

3.Diagram.

Sophos Firewall 1 (SF1)

  • On a device has a internet lines named ISP 1 that has IP 172.16.16.56 configured at Port 2.
  • The LAN subnet is configured at Port 1 with IP 10.145.41.1/24 and has DHCP configured to allocate to connected devices.

Sophos Firewall 2 (SF2)

  • On the device, there is an internet line with IP 172.16.16.57 configured at Port 2.
  • The LAN subnet is configured at Port 1 with IP 10.146.41.1/24 and has DHCP configured to allocate devices to connected devices..

3.Scenario

Based on the above diagram, we will configure IPSec VPN Site to site between the Sophos Firewall 1 device at the Head Office site and the Sophos Firewall 2 device at the Branch Office site on Sophos Central using the SD-WAN VPN Orchestration feature to both LAN networks of 2 sites can communicate with each other.

Note: To be able to configure we need to meet the following conditions.

  • Sophos Firewall uses SFO v18.5MR1 or higher.
  • Sophos Firewall is managed on Sophos Central.
  • Sophos Firewall must have Central Orchestration license.

4.What to do?

  • Register Sophos Firewall 1 and Sophos Firewall 2 devices to Sophos Central.
  • Perform IPsec VPN configuration using SD-WAN VPN Orchestration.

5.Configuration

5.1.Register Sophos Firewall 1 and Sophos Firewall 2 devices to Sophos Central

In order for us to configure IPsec VPN with SD-WAN VPN Orchestration on Sophos Central, we first need to register to administer 2 firewall devices SF1 and SF2 to Sophos Central.

Because Sophos Central manages Sophos Firewall with Serial Number, we will check this parameter on each device.

To check we access the admin pages of both firewall devices.

Go to Administrator > Licensing > in the Model section we will see the device’s Serial Number in the “()” sign.

Serial Number of Sophos Firewall 1 is: C01001BP7PRTK9D

Serial Number of Sophos Firewall 2 is: C01001T32PQVGEF

Next we will register both Sophos Firewall devices to Sophos Central.

To register on the administrative interface of Sophos Firewall 1 we go to SYSTEM > Sophos Central > click Register.

The Register firewall with Sophos Central table appears, we enter the account and password of Sophos Central and click Register.

After successful registration, we need to turn on Sophos Central services, to enable we left click on the switch at Sophos Central service.

The Sophos Central services panel appears, we select the parameters as shown below and click Apply.

After enabling Sophos Central services, we need to log in to Sophos Central with an account with admin rights.

Go to Firewall Management > Firewalls, we will see that the Sophos Firewall 1 device with Serial Number C01001BP7PRTK9D has been displayed on Sophos Central and is in the waiting state for Approval.

We left-click on Approval Pending and select Accept services to complete the registration.

After clicking Accept services, in the SYSC & MANAGEMENT column we will see a green checkmark and Connected status showing that the registration was successful.

Similarly, we will also perform the same steps as above to register Sophos Firewall 2 to Sophos Central as shown in the following pictures.

Sophos Firewall 2 device with Serial Number C01001T32PQVGEF has been successfully registered to Sophos Central.

5.2.Perform IPsec VPN configuration using SD-WAN VPN Orchestration

To configure on Sophos Central we go to Firewall Management > SD-WAN Connection Groups > click Create Connection Group.

We configure with the following parameters:

  • Connection group name: name it IPSEC_VPN_SF1_TO_SF2.
  • Available Firewalls: Select 2 serial numbers of SF1 and SF2 then press the ‘>’ button.
  • Assigned Firewalls: After pressing the ‘>’ button, the 2 serial numbers of SF1 and SF2 will switch to this table.
  • Click Next.

At Share Resources, this is where we will declare the host/subnet that we want to share through the IPsec VPN connection.

To configure click Add Resource.

When the Add Resources panel appears, we will configure the shared subnet of Sophos Firewall 1 with the following information:

  • Firewall: Select the serial number of Sophos Firewall 1 as C01001BP7PRTK9D.
  • Share Resources: Enter the subnet of Sophos Firewall 1 is 10,145.41.0/24.
  • Service: select Any.
  • Automatically: Select the option to automatically create a policy that allows IPsec VPN traffic between two devices.
  • Click Save.

Similarly we will configure the share sunet of Sophos Firewall 2 with the following information:

  • Firewall: Select the serial number of Sophos Firewall 2 as C01001T32PQVGEF.
  • Share Resources: Enter the subnet of Sophos Firewall as 10.146.41.0/24.
  • Service: select Any.
  • Automatically: Select the option to automatically create a policy that allows IPsec VPN traffic between two devices.
  • Click Save.

We have finished configuring Share Resources, click Next.

Next is the Configure networks and routes section, we need to declare the Local networks (LAN ports) of both firewall devices.

To declare we click Details/Edit at the serial number of Sophos Firewall 2.

Select the following information:

  • Interface name: select Port 1.
  • Tại Primary WAN link: select Port2 – 172.16.16.53.
  • Secondary WAN link: if we want to configure FailOver for IPsec VPN line we can choose 2nd WAN line, in this case leave blank.
  • Click Save.

Similarly, we also click Details / Edit at the serial number of Sophos Firewall 1 and configure the following:

  • Interface name: select Port 1.
  • Tại Primary WAN link: select Port2 – 172.16.16.193.
  • Secondary WAN link: if we want to configure FailOver for IPsec VPN line we can choose 2nd WAN line, in this case leave blank.
  • Click Save.

After declaring the Local network we will see that they have been updated, click Finish and Confirm to complete.

Now we will see the Status of the IPsec VPN connection between the two devices, which is Link down, which means that the connection has not been successful.

The reason is that Sophos Central is pushing the configurations down to Sophos Firewall 1 and Sophos Firewall 2 devices using APIs.

To monitor this process we go to the Tasks Queue and we will see that the configure push is happening.

We can fully check what configurations Sophos Central has pushed down by clicking IN PROGRESS.

A series of detailed configurations that Sophos Central is doing pushing down Sophos Firewall will appear as follows.

After the configure push is successful, the SUCCESS status will appear.

Going back to SD-WAN Connection Groups we see that the status of the IPsec VPN connection between the two devices has changed to Good, meaning the connection is successful.

We can log into the admin interface of the 2 Sophos Firewall devices and see that all the configurations are created automatically.

Configurations are automatically generated on Sophos Firewall 1.

The profiles are automatically created on Sophos Firewall 2.

To ensure a successful VPN connection, we will use two computers on the LAN of the two devices and ping each other.

The result of pinging from a computer in Sophos Firewall 1’s LAN with IP 10,145.41.100 to a computer in Sophos Firewall 2’s LAN with IP 10,146.41.101 is successful.

And the reverse ping result is also successful.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.