Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I need to establish a Site-to-Site IPSEC VPN between a Sophos XG VM and a Mikrotik Router.I'm having a hard time making it work.Has anyone here done this setup successfully? Can you send me the steps?Thanks in advance.
I need the same. Any help?
In reply to dehylus:
Hi,Start with simplest configuration using preshared key.
10.0.43.0/24 - client LAN address10.0.0.0/8 - Sophos remote LAN network
Mikrotik/ip ipsec peer profileadd dh-group=modp2048 dpd-interval=30s enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=sophos/ip ipsec proposaladd auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=sophos pfs-group=modp2048/ip ipsec peeradd address=a.b.c.d/32 comment="sophos ATM" profile=sophos secret="secret"/ip ipsec policyadd action=none comment="internal LAN" dst-address=10.0.43.0/24 src-address=10.0.43.0/24add comment=SOPHOS dst-address=10.0.0.0/8 level=unique proposal=sophos sa-dst-address=a.b.c.d/32 sa-src-address 0.0.0.0 src-address=10.0.43.0/24 tunnel=yes
Do not forget to allow IPSec packet traffic in the firewall before the fasttrack rule.
In reply to MichalKawecki:
Thanks for answering. I followed all the steps but the connection does not work. Mikrotik version is 6.44.3, apparently the configuration commands of this version are slightly different since the shared key must be configured in a different profile called identities. The Sophos error logs say the following: received IKE message with invalid SPI (FCD23C82) from other side.
Sophos version in SFOS 17.5.5 MR-5.
Thanks for the help.
I have provided a working configuration for 6.43.11 firmware. From what I see, the nevest 6.44 tree brought a lot of changes to ipsec settings and I will have to work on it for a while. However, the main assumptions will still be the same as in the previous firmware. I made the first connection with such settings while still having 6.42.5 firmware.
In the meantime, log in via ssh to the router => Device Management => Advanced shell and analyze the contents of the ipsec log. Maybe you can find there indications on what is wrongly configured.tail -n 100 /log/strongswan.log
This new firmware has differently shared ipsec settings. Below I paste a working configuration. There was nothing to change on the side of the Sophos router.Note the default ipsec policy number 0 - it should be turned off.
/ip ipsec profileadd dh-group=modp2048 dpd-interval=30s enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=sophos/ip ipsec peeradd address=a.b.c.d/32 comment="sophos ATM" name=peer1 profile=sophos/ip ipsec proposaladd auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=sophos pfs-group=modp2048/ip ipsec identityadd peer=peer1 secret="secret"/ip ipsec policyset 0 disabled=yes dst-address=0.0.0.0/32 src-address=0.0.0.0/32add action=none comment=LAN dst-address=10.0.43.0/24 src-address=10.0.43.0/24add comment=SOPHOS dst-address=10.0.0.0/8 level=unique proposal=sophos sa-dst-address=a.b.c.d \ sa-src-address=0.0.0.0 src-address=10.0.43.0/24 tunnel=yes
After several tests, everything now works correctly. I had to do some additional things like in the configuration of the vpn in sophos add the local and remote IDs, without that the connection is not made. So far everything is working well. Thanks for the help, I hope it helps someone else to make this configuration.
According to my tests setting local and remote ID is unnecessary, both routers assume by default that it is their public IP address. Defining ID of the VPN client is only required if Mikrotik operates behind NAT, ie it has a private address on the WAN interface. I have 40 routers configured with the settings I presented on the screens and only two behind the NAT for which I was forced to enter it's remote ID manually:
Actually my mikrotik gateway was with NAT and with that additional data it connects perfectly. In all the configuration use IKE1, but IKE2 is recommended for security, but it never worked. Is there an advantage? Is it possible against the mikrotik equipment or is only IKE1 possible?
IKE2 protocol has more advantages than just improved security, for example, router automatically resumes a broken connection (DPD is unnecessary) and this happens almost immediately - and not after several or several dozen seconds.
Taking advantage of the opportunity that I got involved in this discussion, I changed all my IPSec connections to the IKEv2 version. It was enough to set this protocol in policies on both sides, nothing else needed to be changed. This was also true for routers behind NAT.