Sophos Firewall: Sophos Firewall and Oracle Cloud Infrastructure (OCI) policy-based IPsec

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Table Of Contents

Overview:

This Recommended Read describes how to configure Sophos Firewall and Oracle Cloud Infrastructure policy-based IPsec VPN

Configuration

OCI 

Within the OCI console,  off the main menu go to Networking > IPsec Connections.

Within OCI, an IPsec tunnel is made up of three OCI objects.

  1. Dynamic Routing Gateway (DRG)
  2. Customer-Premise equipment (CPE)
  3. IPsec connection

Dynamic routing gateway is a requirement. However, in a policy based VPN, this is only used to satisfy the UI requirements.

First, create a DRG:

  • Within networking, it’s in the menu on the left side.
  • There not many properties to a DRG just its name.

Next, create a new CPE:

  • Also left side menu.
  • The CPE has a few more properties this is where you specify the WAN address of the on-premise equipment.

Now we create the IpSec connection:

  • Left side menu IPsec connection.
  • Within the create ipsec connection dialog box it states...
    • "To use static routing instead of BGP dynamic routing, provide at least one static route CIDR for your on-premises network.
      Otherwise, see the Advanced Options below to configure BGP dynamic routing."
    • Note: The default of an ipsec connection is policy based "static" not route based "dynamic"

For the connection you will need to define the following:

  • Name:
  • DRG: select from the drop down
  • CPE: select from the drop down.
  • Static route Cidr: add on-premise networks here, click the "additional static routes" button to add more on-premise networks.

Click the "show advanced"

  • within the CPE identifier, add the WAN address you used for defining the CPE.
  • Click the tunnel1 tab, define a name like "primary" and define a shared secret.
  • Click the tunnel2 tab, define a name like "backup" and define a shared secret.

Finish up clicking the "create ipsec connection".

 

Before we configure the Sophos to connect, collect the Oracle VPN's WAN IP addresses:

  • Click on IPsec connections
  • Click on the name of your IPsec connection, at the bottom of the page
  • In the section "Tunnels in <your compartment name>" you will see a column for "Oracle VPN IP Address" make note of the primary and backup IP addresses.
  • In Oracle VPN's phase, 1 and phase 2 was selected as the default setting.

Now we have all the pieces to define the IPsec policy and connection on the Sophos on-premise firewall.

 

Start with the IPsec policy. But before we do that, note that oracle have an article about the Phase1 and Phase2 settings they support.

Sophos Firewall

How this relates to Sophos policy configs is summarized below.

  • Within Sophos go to VPN, click the ellipses to the far right, from the drop down select "IPsec policies"
  • Click the "Add" button and define the Phase1 & Phase2 as noted below:
    • Phase1:
      • mode: main
      • allow re-keying
      • dh group: 2 & 5
      • lifetime: 28800
      • encryption aes-256
      • authentication: sha2 256
    • Phase2:
      • pfs group: 5
      • encryption: aes256
      • authentication: sha1
        • In the Sophos you will get a warning about using sha1, note that oracle documentation states to use sha1-96
      • keylife time: 3600

Optional: Sometimes vendors add support for additional encryption types before updating their documentation.

  • I added a second set of Encryption/Authentication to the phase2 settings hoping this is the case with Oracle.
    • Aes256/sha2 256

Within the Sophos go to VPN > IPsec connections

  • Add a new connection
    • type: site-to-site
    • mode type: initiate
    • Policy: the one you created above.
    • shared secret: the one you defined for the primary tunnel.
    • Listening interface: should match the WAN IP, the oracle CPE and ipsec ike cpe identifier configured to receive the tunnel from .
    • Gateway Address: this is the WAN IP of the primary oracle VPN.

Note: if your Sophos WAN is behind NAT, you can use the "local ID" to override the IP Address presented to the IKE identifier. If you are not behind NAT you do not have to do this.

For local/remote networks:

  • Local networks
    • Include any on-premise network.
    • Note: These need to match the "Static route Cidr" values you entered while creating the IPsec connection on OCI.
  • Remote networks
    • These would be any subnet within OCI you wish to be reachable through the tunnel.

Click "Save" and then click the radio button to turn on the tunnel and activate it.

Setting up the backup tunnel is the same operation as above. Create the backup ipsec connection on the Sophos and proceed to the steps below.

  • With the primary & backup tunnel in an off state follow the steps in the Sophos KB to combine the tunnels into a failover group.
  • Skip to section: Create an IPsec VPN connection, steps #3 through #7

Note: With policy-based VPN’s you should only have one tunnel up at a time; otherwise the static routes of even weight will load balance across the two tunnels if both are up. Load balancing might sound great, but some communications will have problems with packets arriving out of order; it’s not recommended to try this; hence using a failover group of tunnels is the best practice.

______________________________________________________________________________________________________________________________________



Edited format, added horizontal lines, Added Table of contents
[edited by: Raphael Alganes at 12:16 PM (GMT -8) on 4 Dec 2023]
  • Before we configure the XG to connect, collect the Oracle VPN's WAN IP addresses:

    • Click on IPsec connections
    • Click on the name of your IPsec connection, at the bottom of the page
    • In the section "Tunnels in <your compartment name>" you will see a column for "Oracle VPN IP Address" make note of the primary and backup IP addresses.
    • In Oracle VPN's phase 1 and phase 2 was selected as default setting.

    Follow the the same configuration for the XG as above. The IPsec site-to-site tunnel is established between the XG >> Oracle firewall and communication is happening.