Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Establish IPsec connection between Sophos Firewall and Check Point

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This article describes how to establish a site-to-site IPsec VPN between Sophos Firewall and Check Point firewall.

In this scenario, the Check Point gateway is deployed as Peer A and the Sophos Firewall gateway as Peer B.

The following external IP addresses have been assigned:

  • Peer A Gateway: 10.198.66.79
  • Peer B Gateway: 10.198.66.115

Applies to the following Sophos products and versions
Sophos Firewall

Prerequisites

  • You must have read-write permissions on the SFOS Admin Console for the relevant features.
  • You must have Check Point SmartDashBoard R77.30.

Configuration

Check Point

Sign in to the Check Point gateway.

Create a Check Point Gateway Network Object

  1. Go to Firewall > Network Objects > Check Point and right-click.
  2. Go to Check Point > Host…
  3. In General Properties, enter Name.
  4. For IPv4 Address, enter 10.198.66.79.
  5. Under Platform, set Hardware to 5000 Appliances, Version to R77.30, and OS to Gaia.
  6. Under Network Security, select IPSec VPN.



  7. You can retrieve Topology automatically or manually:

    1. Automatic: Go to Check Point > Host… > General Properties > Topology. Click Get and click Interfaces with Topology.



    2. Manual: Go to Check Point > Host… > General Properties. Click New…
      • In Interface Properties, under General, enter Name.
      • Enter external network details:
        • IP Address: 10.198.66.79
        • Netmask: 255.255.254.0
      • Under Topology, select External (leads out to the Internet). Under Anti-Spoofing select Perform Anti-Spoofing based on interface topology. Anti-Spoofing action is set to Prevent.

      • Enter internal network details:
        • IP Address: 192.168.150.150
        • Netmask: 255.255.255.0
      • Under Topology, select Internal (leads to the local network). Select Network defined by the interface IP and Net Mask.

      • Click OK.
        Note: Configure the topology based on the Ethernet interfaces.
  8. Under VPN Domain, select Manually defined. We have selected CP_LAN as the internal network behind the Peer A gateway.



    Note: Select All IP Addresses behind Gateway are based on Topology information if you want all networks behind CP firewall to participate in VPN.

Configure Interoperable Device

Configure an Interoperable Device to represent the third-party VPN gateway. The public IP address of Peer B gateway is 10.198.66.115.

  1. Right-click Network Objects and click Interoperable Device.



  2. Enter Name.
  3. For IPv4 Address, enter 10.198.66.115.

Create a New VPN Community

  1. Go to IPSec VPN. Click New and click Star Community.



  2. Under General, enter Name. In this scenario, we have entered S2S which stands for Site-to-Site.



  3. Under Center GatewaysAdd Peer A (Checkpoint Firewall).



  4. Under Satellite GatewaysAdd Peer B (Sophos Firewall).



  5. Under Encryption, make sure that the Encryption Method matches the agreed configurations. We have selected IKEv1 for IPv4 and IKEv2 for IPv6.



  6. Under Encryption Suite, select Custom. Click Custom Encryption, and select the required Custom Encryption Suite Properties.



  7. Select Tunnel Management. Under Permanent Tunnels, select Set Permanent Tunnels.
  8. Select On all tunnels of specific Gateways and click Select Gateways.



  9. Under Community Members, select the gateways and Add them to Selected Gateways.



  10. Under Advanced Settings, select the required settings.

    VPN Routing




    Shared Secret



    Note: This is a pre-arranged code that you must securely share with the peer gateway administrator. (Based on the option selected in Satellite Gateway while creating IPsec VPN communities.)

    Advanced VPN Properties

    Under NAT, select Disable NAT inside the VPN community.



Define a Topology for VPN Community

  1. Go to Network Objects > Interoperable Device.



  2. Go to Topology. Under VPN Domain, select Manually defined.
  3. Add XG_LAN.



    Note: XG_LAN is the network behind Peer B gateway.

Access Control Policy

  1. Create a policy to allow traffic of S2S VPN Community only.
    • Go to Rule Base, Firewall > Policy.
    • To add the VPN access rule, right-click the rule number.
    • Select Add Rule > Above.
    • Select Only connections encrypted in specific VPN Communities option and click add.
    • Select the S2S VPN community.
  2. Click OK.
    Note: To allow VPN traffic, add the relevant rules to the firewall rule base.



  3. Install policy on the Gateway.

Sophos Firewall

Sign in to SFOS Admin Console.

Create IPsec policy

  1. Go to Configure > VPN > IPsec policies and click Add.
    Note: The Sophos Firewall parameters must match the parameters you have defined in the Check Point Firewall.

For Version 19.

1. Go to System>Profile>IPsec Profiles>and click Add



  1. Click Save.

Create Network Object

  1. Go to System > Hosts and services > IP host and click Add.



  2. Similarly, create a Network Object for networks behind the Check Point Gateway.

Create an IPsec Connection

  1. Go to Configure > VPN > IPsec connections and click Add. /For Version 19. Go to Configure >Site-to-Site VPN>IPsec and click Add
  2. For Name, enter S2S.
  3. For IP version, select IPv4.
  4. Set Connection type to Site-to-site.
  5. Set Gateway type to Respond only.
  6. Make sure that the Create firewall rule is enabled.
  7. Set Policy to XGCP (Created in Create IPsec policy).
  8. For Authentication type, select Preshared key and use the shared key, which was created in Check Point Firewall.
  9. Under Local gateway, set the Listening interface to the local WAN interface 10.198.66.115 and the Local subnet to XG LAN.
  10. Under Remote gateway, set the Gateway address to the Peer A gateway 10.198.66.79 and the Remote subnet to Checkpoint LAN.
  11. For User authentication mode select None.
  12. Click Save.



  13. An automatic firewall rule is also created.


Activate the tunnel

  1. Go to Configure > VPN > IPsec connections and click the   icon under the Active column to activate the IPsec connection.
  2. Click the   icon under the Connection column to activate the tunnel.



  3. The IPsec connection between Sophos Firewall and Check Point Firewall is now established.

Sign up to the Sophos Support Notification Service to get the latest product release information and critical issues.




Edited TAGs
[edited by: Raphael Alganes at 5:32 AM (GMT -7) on 17 Sep 2024]