Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

Sophos Firewall: Establish IPsec PBVPN connection between Sophos Firewall and SonicWall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article describes how to configure a site-to-site IPsec PBVPN tunnel between the Sophos Firewall and SonicWall firewall using a pre-shared key to authenticate VPN peers.

Product and Environment

  • Sophos Firewall
  • SonicWall version SonicOS 7.0.0-R906

Prerequisites

You must have read-write permissions on the SFOS web admin and SonicWall web admin for the relevant features.

Network diagram

Configuration

Sophos Firewall

Create local and remote LAN

  1. Go to Hosts and services > IP host and click Add.
  2. Configure the local and remote LAN using the following values and click Save for each configuration.

    Local LAN

    Parameter Value
    Name Enter a name.
    Ex. XG_LAN
    IP version IPv4
    Type Network
    IP address Enter local LAN network IP address.
    Ex. 172.16.16.0
    Subnet Select local LAN subnet.
    Ex. /24 (255.255.255.0)

    Remote LAN

    Parameter Value
    Name Enter a name.
    Ex. SonicWall_LAN
    IP version IPv4
    Type Network
    IP address Enter remote LAN network IP address.
    Ex. 10.198.62.0
    Subnet Select remote LAN subnet.
    Ex. /23 (255.255.254.0)

Create IPsec profile

  1. Go to Profiles > IPsec profiles and click Add.
  2. Configure the following:

    Parameter Value
    General settings
    Name Enter a name.
    Ex. XG IPsec Policy
    Key exchange IKEv2
    Authentication mode Main mode
    Key negotiation tries 0
    Re-key connection Turned on
    Phase 1
    Key life 28800
    Re-key margin 360
    Randomize re-keying margin by 100
    DH group (key group) 14 (DH2048)
    Encryption AES256
    Authentication SHA2 512
    Phase 2
    PFS group (DH group) 14 (DH2048)
    Key life 3900
    Encryption AES256
    Authentication SHA2 512
    Dead Peer Detection
    Dead Peer Detection Turned on
    Check peer after every 30
    Wait for response up to 120
    When peer unreachable Re-initiate


  3. Click Save.

Create IPsec connection

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Configure the following:

    Parameter Value
    General settings
    Name Enter a name.
    Ex. XG_to_SonicWall
    IP version IPv4
    Connection type Site-to-site
    Gateway type Respond only
    Activate on save Turned on
    Create firewall rule Turned on
    Encryption
    Profile Select the IPsec profile you created earlier.
    Ex. XG IPsec Policy
    Authentication type Preshared key
    Preshared key Enter a preshared key.
    Repeat preshared key Repeat the preshared key.
    Gateway settings
    Listening interface Select your WAN port/IP address.
    Ex. PortB – 10.198.67.43
    Local subnet
    Select the local LAN that you created earlier.
    Ex. XG_LAN
    Gateway address Enter the remote WAN IP address.
    Ex. 10.198.66.84
    Remote subnet Select the remote LAN that you created earlier.
    Ex. SonicWall_LAN
    Advanced
    User authentication mode None


  3. Click SaveThe IPsec connection is automatically activated and an automatic firewall rule is also created.

SonicWall

Create Address Object

  1. Go to Object > Addresses and click Add.
  2. Configure the local and remote LAN using the following values and click OK for each configuration.

    Local LAN

    Parameter Value
    Name Enter a name.
    Ex. SonicWall_LAN
    Zone Assignment VPN
    Type Network
    Network Enter local LAN network IP address.
    Ex. 10.198.62.0
    Netmask/Prefix Length Enter local LAN netmask.
    Ex. 255.255.254.0

    Remote LAN

    Parameter Value
    Name Enter a name.
    Ex. XG_LAN
    Zone Assignment VPN
    Type Network
    Network Enter remote LAN network IP address.
    Ex. 172.16.16.0
    Netmask/Prefix Length Enter remote LAN netmask.
    Ex. 255.255.255.0

Turn on VPN

  1. Go to Network > IPsec VPN > Rules and Settings > Settings.
  2. Turn on Enable VPN.
  3. Go to System > Administration > Firewall Name and enter a value in Unique Firewall Identifier.

Create VPN policies

  1. Go to Network > IPsec VPN > Rules and Settings > Policies and click Add.
  2. In the General tab, configure the following:

    Parameter Value
    Security Policy
    Policy Type Site to Site
    Authentication Method IKE using Preshared Secret
    Name Enter a name.
    Ex. Tunnel to XG Firewall
    IPsec Primary Gateway Name or Address Enter the local WAN IP address
    Ex. 10.198.67.43
    IPsec Secondary Gateway Name or Address 0.0.0.0
    IKE Authentication
    Shared Secret Enter the same preshared key configured in Sophos Firewall.
    Confirm Shared Secret Repeat the preshared key.
    Local IKE ID IPv4 Address
    Peer IKE ID IPv4 Address


  3. In the Network tab, configure the following:

    Parameter Value
    Local Networks
    Choose local network from list Select the local LAN that you created earlier.
    Ex. SonicWall_LAN
    Remote Networks
    Choose destination network from list Select the remote LAN that you created earlier.
    Ex. XG_LAN


  4. In the Proposals tab, configure the following:

    Parameter Value
    IKE (Phase 1) Proposal
    Exchange IKEv2 Mode
    DH Group Group 14
    Encryption AES256
    Authentication SHA512
    Life Time (seconds) 26000
    Ipsec (Phase 2) Proposal
    Protocol ESP
    Encryption AES256
    Authentication SHA512
    Enable Perfect Forward Secrecy Turned on
    DH Group Group 14
    Life Time (seconds) 3800

    Note: Phase 1 and phase 2 Life Time are configured with slightly lower values on SonicWall since it is the initiator. This will avoid re-key collisions.

  5. In the Advanced tab, configure the following:

    Parameter Value
    Enable Keep Alive Turned on
    This setting makes SonicWall as the initiator of the IPsec tunnel.
    Enable Windows Networking (NetBIOS) Broadcast Turned on
    WXA Group None
    Default LAN Gateway (optional) 0.0.0.0
    VPN Policy bound to

    The WAN interface.

    Ex. Interface X3

     
  6. Click OK.

Check packet filter rules

This is automatically added. To verify, go to Policy > Access Rules, click the Matrix icon, and chose VPN to LAN or LAN to VPN.

Activate the connection

Sophos Firewall

  1. Go to Site-to-site VPN > IPsec.
  2. Click the red button under Connection and click OK to establish the connection.
  3. The button should turn green, indicating that the connection is established.

SonicWall

  1. Go to VPN > Settings > VPN Policies.
  2. Select the connection and click Add.
  3. Make sure the tunnel is enabled in the Policies tab and that it shows under the Active Tunnels tab.

Verification

Run a ping test from the client behind Sophos Firewall to the client behind Sonicwall.

Example:

From the client behind Sophos Firewall, ping 10.198.62.2. These packets should go through the IPsec tunnel. This can be verified by running tcpdump -n esp on the Sophos Firewall console.




Fixed Spacing Last update by DominicRemigio Added SonicOS version and updated "VPN Policy bound to" to use the WAN interface
[edited by: Erick Jan at 2:39 AM (GMT -8) on 15 Nov 2023]
  • I could not get this to work when setting up SonicWall on premise to Sophos Firewall in Azure.

    Found that if I change "VPN Policy bound to: Group VPN", the tunnel comes up immediately.  Did this on two SonicWalls today.

    The settings as described above for SonicWall don't apply to SonicOS 6.5.  Don't know what version they are for.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Now at 5 SonicWalls today, binding the actual interface, not the zone, to the VPN.  Works a treat.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Hi DavidSain,

    Thank you for reaching out to Sophos Community, and thank you for the feedback. 

    Will pass on the information to confirm the details and update the recommended read.

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.