Sophos Firewall: How to configure WAF over an IPsec Site-to-Site

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This article describes the steps to enable connectivity to the non-connected subnets (in LAN or DMZ zone) of the WAF server, which is also the IPSec gateway, to the remote Web Server via the site-to-site IPSec connection.

 

What to do

Configure WAF by referring to Sophos Firewall: WAF configuration guide.  

Configure the IPsec site-to-site by referring to Sophos Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key

Once the configuration is set, you must check if the Sophos Firewall's physical interface IP address on the LAN/DMZ  is included in the IPsec-allowed networks.

Because, by default, the connection from the WAF server (Sophos Firewall on Site B) to the Web Server (behind the Sophos Firewall on Site A) would be routed through the WAN interface IP, which isn’t routed through the IPsec connection, you need to add the Sophos Firewall's LAN/DMZ IP address (192.168.0.1) to the allowed networks in the IPsec connection, so it would add this IP address in the IPsec route and use it as a source IP to connect to the Web Server via the IPsec connection.

To verify which IP address is used to communicate with the Web Server from the Sophos Firewall in site B (where the WAF is configured), run the following command in the Advance Shell. 

ip route get <Web-server address>

In this example scenario, the Web Server's IP is 192.168.4.10 and 192.168.0.1 is the LAN interface IP on the WAF configured in the Sophos Firewall on site B. 

ip route get 192.168.4.10

The output is:

192.168.4.10 dev ipsec0 table 220 src 192.168.0.1 uid 0

Otherwise, if the local interface IP  isn’t added to the allowed network for IPsec connection, then the route will point to the WAN interface IP, which  isn’t routed through the IPsec. 

ip route get 192.168.4.10

The output is: 

192.168.4.10 dev ipsec0 table 220 src 1.1.1.1 uid 0

Related information

Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your feedback! https://community.sophos.com/community-chat/f/user-assistance-feedback




Table of Contents, grammar, horizontal line
[edited by: emmosophos at 8:46 PM (GMT -8) on 15 Nov 2023]