Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 2962 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: How to configure WAF over an IPsec Site-to-Site

Shweta

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article describes the steps to enable connectivity to the non-connected subnets (in LAN or DMZ zone) of the WAF server, which is also the IPSec gateway, to the remote Web Server via the site-to-site IPSec connection.

 

What to do

Configure WAF by referring to Sophos Firewall: WAF configuration guide.  

Configure the IPsec site-to-site by referring to Sophos Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key

Once the configuration is set, you must check if the Sophos Firewall's physical interface IP address on the LAN/DMZ  is included in the IPsec-allowed networks.

Because, by default, the connection from the WAF server (Sophos Firewall on Site B) to the Web Server (behind the Sophos Firewall on Site A) would be routed through the WAN interface IP, which isn’t routed through the IPsec connection, you need to add the Sophos Firewall's LAN/DMZ IP address (192.168.0.1) to the allowed networks in the IPsec connection, so it would add this IP address in the IPsec route and use it as a source IP to connect to the Web Server via the IPsec connection.

To verify which IP address is used to communicate with the Web Server from the Sophos Firewall in site B (where the WAF is configured), run the following command in the Advance Shell. 

ip route get <Web-server address>

In this scenario, the Web Server's IP is 192.168.4.10, and 192.168.0.1 is the LAN interface IP on the WAF configured in the Sophos Firewall on site B. 

ip route get 192.168.4.10

The output is:

192.168.4.10 dev ipsec0 table 220 src 192.168.0.1 uid 0

Otherwise, if the local interface IP  isn’t added to the allowed network for IPsec connection, then the route will point to the WAN interface IP, which isn’t routed through the IPsec. 

ip route get 192.168.4.10

The output is: 

192.168.4.10 dev ipsec0 table 220 src 1.1.1.1 uid 0

Related information



Updated doc guide links, Grammar
[edited by: Raphael Alganes at 12:59 PM (GMT -7) on 22 Oct 2024]
Unfiltered HTML