IPSEC VPN, XG and Mikrotik Router

I need to establish a Site-to-Site IPSEC VPN between a Sophos XG VM and a Mikrotik Router.
I'm having a hard time making it work.
Has anyone here done this setup successfully? Can you send me the steps?

Thanks in advance.

  • I need the same. Any help?

  • In reply to dehylus:

    Hi,

    Start with simplest configuration using preshared key.

    10.0.43.0/24 - client LAN address
    10.0.0.0/8     - Sophos remote LAN network


    Mikrotik
    /ip ipsec peer profile
    add dh-group=modp2048 dpd-interval=30s enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=sophos
    /ip ipsec proposal
    add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=sophos pfs-group=modp2048
    /ip ipsec peer
    add address=a.b.c.d/32 comment="sophos ATM" profile=sophos secret="secret"
    /ip ipsec policy
    add action=none comment="internal LAN" dst-address=10.0.43.0/24 src-address=10.0.43.0/24
    add comment=SOPHOS dst-address=10.0.0.0/8 level=unique proposal=sophos sa-dst-address=a.b.c.d/32 sa-src-address
    0.0.0.0 src-address=10.0.43.0/24 tunnel=yes

    Do not forget to allow IPSec packet traffic in the firewall before the fasttrack rule.

     

    Sophos

     

     

  • In reply to MichalKawecki:

    Thanks for answering. I followed all the steps but the connection does not work. Mikrotik version is 6.44.3, apparently the configuration commands of this version are slightly different since the shared key must be configured in a different profile called identities. The Sophos error logs say the following: received IKE message with invalid SPI (FCD23C82) from other side.

    Sophos version in SFOS 17.5.5 MR-5.

    Thanks for the help.

  • In reply to dehylus:

    Hi,

    I have provided a working configuration for 6.43.11 firmware. From what I see, the nevest 6.44 tree brought a lot of changes to ipsec settings and I will have to work on it for a while. However, the main assumptions will still be the same as in the previous firmware. I made the first connection with such settings while still having 6.42.5 firmware.

  • In reply to MichalKawecki:

    In the meantime, log in via ssh to the router => Device Management => Advanced shell and analyze the contents of the ipsec log. Maybe you can find there indications on what is wrongly configured.
    tail -n 100 /log/strongswan.log

  • In reply to MichalKawecki:

    This new firmware has differently shared ipsec settings. Below I paste a working configuration. There was nothing to change on the side of the Sophos router.
    Note the default ipsec policy number 0 - it should be turned off.

    /ip ipsec profile
    add dh-group=modp2048 dpd-interval=30s enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=sophos
    /ip ipsec peer
    add address=a.b.c.d/32 comment="sophos ATM" name=peer1 profile=sophos
    /ip ipsec proposal
    add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=8h name=sophos pfs-group=modp2048
    /ip ipsec identity
    add peer=peer1 secret="secret"
    /ip ipsec policy
    set 0 disabled=yes dst-address=0.0.0.0/32 src-address=0.0.0.0/32
    add action=none comment=LAN dst-address=10.0.43.0/24 src-address=10.0.43.0/24
    add comment=SOPHOS dst-address=10.0.0.0/8 level=unique proposal=sophos sa-dst-address=a.b.c.d \
    sa-src-address=0.0.0.0 src-address=10.0.43.0/24 tunnel=yes

  • In reply to MichalKawecki:

    After several tests, everything now works correctly. I had to do some additional things like in the configuration of the vpn in sophos add the local and remote IDs, without that the connection is not made. So far everything is working well. Thanks for the help, I hope it helps someone else to make this configuration.

  • In reply to dehylus:

    Hi,

    According to my tests setting local and remote ID is unnecessary, both routers assume by default that it is their public IP address. Defining ID of the VPN client is only required if Mikrotik operates behind NAT, ie it has a private address on the WAN interface. I have 40 routers configured with the settings I presented on the screens and only two behind the NAT for which I was forced to enter it's remote ID manually:

    Regards

  • In reply to MichalKawecki:

    Actually my mikrotik gateway was with NAT and with that additional data it connects perfectly. In all the configuration use IKE1, but IKE2 is recommended for security, but it never worked. Is there an advantage? Is it possible against the mikrotik equipment or is only IKE1 possible?

  • In reply to dehylus:

    IKE2 protocol has more advantages than just improved security, for example, router automatically resumes a broken connection (DPD is unnecessary) and this happens almost immediately - and not after several or several dozen seconds.

    Taking advantage of the opportunity that I got involved in this discussion, I changed all my IPSec connections to the IKEv2 version. It was enough to set this protocol in policies on both sides,  nothing else needed to be changed. This was also true for routers behind NAT.