User Authentication over S2S IPSec VPN

Question

We have currently have two locations, each with a XG330 v19.5.4 MR4 and an EPL fiber connection between them that has a S2S IPSec tunnel setup and a static route on both ends pointing to the other. Each FW is setup with the local DC for user authentication (same domain). Currently there are several FW rules we would like to switch to being user-based vs device-based (FQDN) or network-based (IP/NETWORK) as we rollout "hotdesk" setups (whoever can login wherever they want to sit that day). From what I am seeing both locations are working as anticipated/desired with local traffic/users (they all show up with a client type of Heartbeat as they are all setup with Sophos Endpoint Protection). Our issue is coming when we have a user at location A that is trying to access a resource at location B. The user authentication is not passed through so the FW rules at location B block the access. The same is for users at location B wanting to access resources at location A. I'm pretty sure there is a proper way to address this, but I am not entirely sure which solution to pursue. Any advise or guidance would be greatly appreciated. 
 
 Thank you, 
 James

dirkkotte · Accepted Answer

Using STAS you should be able to tell both firewalls the identity of an IP/USER - combination. 
 https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Authentication/STAS/index.html

Sreenivasulu Naidu · Answer

Hi CV_Sophos , Based on further one on one discussion, realised you are trying out to keep userA or userB in the 'Match known users' filed of the associated Firewall rule (source zones: lan,vpn, destination zones: vpn,lan) to allow/deny traffic from the users into the VPN. 
 This is not possible, at least in the Strongswan based VPN implementation on SFOS we don't take user into account to allow/deny traffic into S2S VPN (policy based or route based). There is no user authentication that happens in S2S VPN tunnel. Placement of traffic into VPN is based on firewall rule with zones/networks and local/remote subnets in the IPsec config or using static/dynamic routing in route based VPN. 
 userA-------LAN----SFOS1---------IPSec--------SFOS2-----LAN------userB; in your topology of this sort, when userA sends traffic to userB, firewall rule on SFOS1 set with 'Match known users' causes the packets dropped on SFOS1 itself and packet will not be placed onto the s2s IPsec VPN tunnel. 
 'Match known users' filed is applicable and works fine while having remote access IPsec that has user Authentication for a given user.

Mayur Makvana · Answer

Hello, 
 The Sophos firewall does not support authentication for the Site to Site VPN communication (Assuming that you are trying to allow access of the resources to the authenticated users only from Site A to Site B and vice versa). This can be achieved with the remote access VPN, however that does not seems to be your requirement.

User Authentication over S2S IPSec VPN

Top Replies