Instructions to configure IPSEC VPN Client to Site Sophos Firewall Version 19 according to the following model router

Today Techbast will show you how to configure IPSec VPN Client to Site so that remote VPN users can connect to the enterprise’s File Server system. Configuration is done on Sophos XGS with firmware version 19

Diagram

Summary of configuration steps

  1. Configure IPSec VPN Client to Site on Sophos XGS
    1. Create Remote IPSec VPN Group
    1. Create IPSec VPN user
    1. Identifier for LAN layer and IPSec VPN subnet
    1. Configure the authentication service for IPSec VPN
    1. Configure Remote IPSec VPN
    1. Create firewall rule for IPSec and LAN layer to be accessible to each other
    1. Connect to User Portal to install IPSec VPN software
  2. Configure NAT port on Modem or Router
  3. Configure file sharing on File Server
  4. Connect on client device and check the result

Configuration details

  1. Configure IPSec VPN Client to Site on Sophos XGS

Log in to Sophos XGS with an Admin account

1.1 Create Remote IPSec VPN Group

Configure the creation of Remote IPSec VPN Group, this makes it easier for administrators to manage and apply user groups to policies according to business needs.

  • Authentication -> Select Group -> Click Add
  • Create Remote IPSec VPN Group
    • Group Name: Enter the name Remote IPSec VPN Group
    • Surfing Quota: Choose the network traffic you want
    • Access Time: Select the access time you want

-> Click Save

1.2 Create IPsec VPN Users

  • Authentication ->  Users -> Add
  • Create IPSEC VPN Users
    • Username: Import VPN Username
    • Password: Import password of user IPSEC VPN
    • Email: Import email
    • Group: Select the IPSEC VPN Group you created earlier

-> Click Save

1.3 Identifier for LAN layer and IPSec VPN subnet

  • Hosts and Services -> IP Host -> Add
  • HO LAN Subnet
    • Name: Enter a name for the intranet layer (eg HO subnet)
    • Type: Select Network
    • IP Address: Enter the IP of the LAN layer (172.16.16.024)

-> Click Save

  • IPSec VPN subnet
    • Name: Enter a name for the internal network layer (eg IPSec VPN subnet)
    • Type: Select Network
    • IP Address: Enter the IP of the LAN layer (192.168.200.0/24)

-> Click Save

1.4 Configuring the authentication service for IPSEC VPN

  • Authentication -> Service -> Under IPSEC VPN Authentication Methods -> Under Selected authentication server -> Select Local
  • Authentication -> Services -> Under Firewall Authentication Methods -> Under Selected Authentication Server -> Select Local

1.5 Configure profiles for IPSEC VPN Client

Go to Remote access VPN >> IPsec

Section General settings

  • Select Enable.
  • Interface selects Port Wan
  • IPsec profile select DefaultRemoteAccess
  • Authentication type select Preshare key and enter the key below
  • Local ID select IP address and enter Sophos Firewall’s Wan IP
  • Allowed users and groups we choose the created IPsec group

Section Client information

  • Name to name the connection
  • Assign IP from we choose the IP range for Remote user
  • DNS server 1 and 2 we set IP for DNS

Section Idle time

  • Disconnect when tunnel is idle select enable
  • Idle session time interval chooses the time to disconnect when there is no traffic, here is 6 minutes and will automatically reconnect when there is traffic.

Advanced settings section

  • Permited network resource we choose the subnet we want to allow access
  • Check Allow users to save username and password to allow saving passwords
  • Then click Apply and Export connection to download the IPsec VPN configuration file

1.6 Create firewall rule to be able to communicate between IPSEC VPN and LAN

  • Rules and policies ->  Add Firewall Rule
  • Enter a name for the rule
  • In the Source zones section: Select VPN
  • In the Source network and devices section: Select Remote IPSec VPN Subnet
  • In Destination zones: Select LAN
  • In Destination networks: Select HO subnet
  • Select Match known users
  • In the Users or groups section: Select the Remote IPSec VPN group you created earlier

-> Save

1.7 Connect User Portal to install Sophos Connect software

  • Login to User Portal https://172.16.16.16:443/
  • Use IPSEC VPN account to login
  • In the VPN section -> Select Download for Windows to download Sophos connect
  • Install Sophos Connect software on the computer.
  • Check Sophos Connect is installed with the icon in the right corner of the screen

2. Configure NAT port on Modem or Router

  • Connect to Modem or Router with Admin account
  • We need NAT ports for IPSEC VPN Client to connect to Sophos XGS
  • Port: 500 and 4500 forward to Sophos Firewall’s WAN ip

3. File Server Configuration

  • Share files on File Server, share files and folders for all users so that VPN users can connect to read and write files

4. Connect on client device and check the result

  • Right-click the Sophos Connect application icon > Click Sophos Connect > Select Import connection > select the .scx configuration file.
  • Click Connect.
  • Enter the account created for IPSEC VPN and click Sign in
  • Wait a few seconds to be able to connect to the local network
  • When the connection is successful -> You will get a notification that the connection is complete and your VPN address
  • Icon of the connected application
  • You can connect to File Server with File Server’s address 172.16.16.19
  • You type in the search bar: \\172.16.16.19

-> Done

Instructions to configure IPSEC VPN Client to Site Sophos Firewall Version 19 according to the following model router

Today Techbast will show you how to configure IPSec VPN Client to Site so that remote VPN users can connect to the enterprise’s File Server system. Configuration is done on Sophos XGS with firmware version 19

Diagram

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.