Instructions for configuring IPSec Site-to-Site VPN after router Sophos Firewall Version 19

Techbast will guide you how to configure IPSec VPN Site to Site so that VPN connects from office to branch. Configuration is done on Sophos XGS with firmware version 19

1 Diagram

We have 2 Site Head Office and Branch Office with the same network model as above. Configure IPSec Site to Site VPN to connect LAN between 2 Sites.

2 Steps to configuration:

Configuration On Router 1

  • Configure NAT port UDP 4500 and 500

Configuration on Sophos XGS 1

  • Configure IPSec connection
  • Configure Firewall Policy

Configuration On Router 2

  • Configure NAT port UDP 4500 and 500

Configuration on Sophos XGS 2

  • Configure IPSec connection
  • Configure Firewall Policy

3 Configure

3.1 Configuration On Router 1

We proceed to NAT port UDP 4500 and 500 down to IP WAN Sophos XGS 1

3.2 Configuration On Sophos XGS 1

3.2.1 Create profiles for Local and Remote subnet.

To create go to SYSTEM > Hosts and services > IP Host > Click Add.

Create with the following information:

  • Name *: HO subnet.
  • IP version *: select IPv4.
  • Type *: select IP.
  • IP address *: 172.16.16.0 Subnet /24[255.255.255.0]
  • Click Save.

Similar to the above steps, we will create a profile for the Remote subnet according to the following parameters:

  • Name*: Branch subnet.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 172.16.20.0 Subnet /24[255.255.255.0]
  • Click Save.

3.2.2 Create IPSec connection

To create us go to CONFIGURE > Site to site VPN > IPSec > click Add.

In General we configure with the following parameters:

  • Name: HO_to_Branch.
  • IP version: IPv4.
  • Connection type: Site-to-site.
  • Gateway type: Respond only.
  • Active on save: select.
  • Create firewall rule: select.

In Encryption we configure with the following parameters:

  • Policy: select DefaultHeadOffice.
  • Authentication type: selectPreshared key.
  • Preshared key: enter the connection password.
  • Repeat preshared key: re enter the connection password.

In Gateway settings we configure the following parameters:

Local Gateway:

  • Listening interface: select Port2 – 192.168.15.2.
  • Local ID type: select IP address.
  • Local ID: insert 192.168.15.2.
  • Local subnet: select profile HO subnet.

Remote Gateway:

  • Gateway address: Enter Router 2’s WAN IP at Branch.
  • Remote ID type: select IP address.
  • Remote ID: insert 192.168.1.8.
  • Remote subnet: select Branch subnet.

Click Save.

After clicking Save, the IPSec connection will be created as shown below.

3.2.3 Create a policy to allow traffic between 2 zones LAN and VPN

After creating the IPSec connection as above, the firewall rule for VPN and LAN connection will be created to allow traffic to go back and forth between the 2 zones LAN and VPN.

To check we go to PROTECT > Rules and policies. Go to Policy named Site to Site IPsec HO_to_Branch.

3.2.4 Enable PING and HTTPS services on VPN zone

By default, the VPN zone will turn off all services.

To enable go to SYSTEM > Administration > Device Access.

Select 2 HTTPS and Ping / Ping6 services in the VPN zone row and click Apply to save.

3.3 Configuration On Router 2

We proceed to NAT port UDP 4500 and 500 to IP WAN Sophos XGS 2

3.4 Configuration On Sophos XGS 2

3.4.1 Create profiles for Local and Remote subnet.

To create go to SYSTEM > Hosts and services > IP Host > Click Add.

Create with the following information:

  • Name *: HO subnet.
  • IP version *: select IPv4.
  • Type *: select IP.
  • IP address *: 172.16.16.0 Subnet /24[255.255.255.0]
  • Click Save.

Similar to the above steps, we will create a profile for the Remote subnet according to the following parameters:

  • Name*: Branch subnet.
  • IP version*: IPv4.
  • Type*: Network.
  • IP address*: 172.16.20.0 Subnet /24[255.255.255.0]
  • Click save.

3.4.2 Create IPSec connection

To create us go to CONFIGURE > Site to site VPN > IPSec > click Add.

In General we configure with the following parameters:

  • Name: Branch to HO.
  • IP version: IPv4.
  • Connection type: Site-to-site.
  • Gateway type: Initiate the connection.
  • Active on save: select.
  • Create firewall rule: select.

In Encryption we configure with the following parameters:

  • Policy: select DefaultHeadOffice.
  • Authentication type: select Preshared key.
  • Preshared key: insert connection password.
  • Repeat preshared key: re insert connection password.

In Gateway settings we configure the following parameters:

Local Gateway:

  • Listening interface: select Port2 – 192.168.1.8.
  • Local ID type: select IP address.
  • Local ID: insert 192.168.1.8.
  • Local subnet: select profile Branch subnet.

Remote Gateway:

  • Gateway address: insert IP WAN of Router 1 at HO.
  • Remote ID type: select IP address.
  • Remote ID: insert 192.168.15.2.
  • Remote subnet: select HO subnet.

Click save.

After clicking Save, the IPSec connection will be created as shown below. We see Connection has been ticked green. If it is red, then we click on the red button to connect with HO.

3.4.3 Create a policy to allow traffic between 2 zones LAN and VPN

After creating the IPSec connection as above, the firewall rule for VPN and LAN connection will be created to allow traffic to go back and forth between the 2 zones LAN and VPN.

To check we go to PROTECT > Rules and policies. Go to Policy named Site to Site IPsec Branch_to_HO.

3.4.4 Enable PING and HTTPS services on VPN zone

By default, the VPN zone will turn off all services.

To enable go to SYSTEM > Administration > Device Access.

Select 2 HTTPS and Ping/Ping6 services in the VPN zone row and click Apply to save.

4 Check the result

Stand at each site pinging each other.

Go to MONITOR & ANALYZE > Diagnostic > Tools > Ping

At Sophos XGS Head Office we ping to ip 172.16.20.1 belonging to Lan Sophos XGS Branch Office.

Successful ping result

At Sophos XGS Branch Office we ping to ip 172.16.16.1 belonging to Lan Sophos XGS Head Office.

Successful ping result

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.