Sophos Firewall: Establish IPsec connection between Sophos Firewall and Palo Alto

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.


This article describes how to set up a site-to-site IPsec VPN connection between a Sophos Firewall and a Palo Alto firewall using a pre-shared key to authenticate VPN peers.

Applies to the following Sophos products and versions
Sophos Firewall


  • You must have read-write permissions on the SFOS Admin Console and the Palo Alto Web Admin Console for the relevant features.
  • Palo Alto firewall must have at least two interfaces in Layer 3 mode.

Network diagram


Palo Alto Firewall

Create tunnel interface

  1. Go to Network > Interface > Tunnel and click Add.
  2. Enter Interface Name.
  3. Select existing Virtual Router.
  4. For Security Zone, select layer 3 internal zone from which traffic will originate.

Configure IKE Gateway: Phase 1 parameters

  1. Go to Network Profiles > IKE Crypto > PA_IKE Crypto.
  2. In IKE Crypto Profile, add group5 to DH Group, aes-256-cbc to Encryption, and sha1 to Authentication.
  3. Enter Seconds in Key Lifetime and 28800 as Lifetime.
  4. Set IKEv2 Authentication Multiple to 0.

  5. Click OK.

To add PA_IKE_Crypto profile to IKE gateway:

  1. Go to Network > IKE Gateway > General and create a new gateway.
  2. Enter Name.
  3. Set Version to IKEv1 only mode.
  4. Set Address Type to IPv4.
  5. Set Interface to ethernet1/2, and Local IP Address to
  6. Set Peer IP Type to Static.
  7. For Peer IP Address, enter
  8. Set Authentication to Pre-Shared Key.
  9. Click OK.

  10. Go to Network > IKE Gateway > Advanced Options.
  11. Under Common Options, select Enable Passive Mode, since Palo Alto will act as the responder for the IPsec connection.
  12. Under IKEv1, set Exchange Mode to main, and IKE Crypto Profile to PA_IKE_Crypto, which you have created.
  13. Select Dead Peer Detection. Set Interval and Retry to 5.
  14. Click OK.

Configure IPsec Phase 2 parameters

  1. Go to Network > IPsec Crypto and create a profile.
  2. Enter Name.
  3. Set IPSec Protocol to ESP, and DH Group to no-pfs.
  4. Add aes-256-cbc and aes-256-gcm to Encryption.
  5. Add sha1 to Authentication.
  6. Set Lifetime to Hours and enter 1.
  7. Click OK.

Define Monitor Profile

  1. Go to Network Profile > Monitor Profile.
  2. Enter Name.
  3. Set Action to Wait Recover.
  4. Enter the following values:
    • Interval (sec): 3
    • Threshold: 5

  5. Click OK.

Configure IPsec VPN Tunnel

  1. Go to Network > IPSec Tunnel > General.
  2. Enter Name.
  3. Select the Tunnel Interface that was created in Create tunnel interface.
  4. Set Type to Auto Key and Address Type to IPv4.
  5. Set IKE Gateway to PA_IKE and IPSec Crypto Profile to PA_IPSEC_Crypto, which was created.
  6. Select Show Advanced Options and Enable Replay Protection.
  7. Click OK.

    To Add Proxy ID:

    Go to Network > IPSec Tunnel > Proxy IDs and configure the local and remote subnets for Head Office (HO) and Branch Office (BO).

Create route for VPN traffic

  1. Go to Virtual Router > Static Route > IPv4.
  2. Enter Name.
  3. For Destination, enter
  4. Set Interface to tunnel.1, and Next Hop to None.
  5. For Metric, enter 10.
  6. Set Route Table to Unicast.
  7. Click OK.

  8. Add tunnel interface in Virtual Router.

Create a firewall rule to allow VPN traffic

  1. Go to Policies > Security and create a firewall rule.

Sophos Firewall

Create IPsec VPN Policy for Phase 1 and Phase 2

  1. Go to Configure > VPN > IPsec policies and click Add./ For Version 19.Go to System>Profile>IPsec Profiles>and click Add
  2. Enter Name.
  3. Set Key exchange to IKEv1 and Authentication mode to Main mode.
  4. Set Key negotiation tries to 0.
  5. Select Re-key connection.
  6. Under Phase 1, set Key life to 28800, Re-key margin to 120, and Randomize re-keying margin by to 100.
  7. Set DH group (key group) to 5 (DH1536).
  8. Set Encryption to AES256 and Authentication to SHA1.

  9. Under Phase 2, set PFS group (DH group) to Same as phase-I, and Key life to 3600.
  10. Set Encryption to AES256 and Authentication to SHA1.
  11. Under Dead Peer Detection, set Check peer after every to 30 seconds and Wait for response up to as 120 seconds.
  12. Set When peer unreachable to Re-initiate.
  13. Click Save.

  14. You have created the following IPsec VPN policy.

Configure IPsec connection

  1. Go to Configure > VPN > IPsec connections and click Add./For Version 19. Go to Configure >Site-to-Site VPN>IPsec and click Add
  2. Under General settings, enter Name.
  3. For IP version, select IPv4.
  4. Select Activate on save and Create firewall rule.
  5. Set Connection type to Site-to-site and Gateway type to Initiate the connection.
  6. Under Encryption, set Policy to XG IPsec Policy, which you have created.
  7. Set Authentication type to Preshared key. Enter and repeat the Preshared key.

  8. Under Gateway settings > Local gateway, set Listening interface to PortB – and Local ID type to Select local ID.
  9. Under Local subnet, add the XG_Network.
  10. Under Remote gateway, set Gateway address to and Remote ID type to Select remote ID.
  11. Under Remote subnet, add the Palo_Alto Network.
  12. Click Save.

  13. The IPsec connection is automatically activated and an automatic firewall rule is also created.

Activate IPsec connection

  1. Go to Configure > VPN > IPsec connections.
  2. Under Status, click the   under Connection to establish the connection.

Sign up to the Sophos Support Notification Service to get the latest product release information and critical issues.

Edited TAGs
[edited by: emmosophos at 10:23 PM (GMT -7) on 4 Oct 2022]
  • Hello DominicRemigio,

    why are you describing the configuration of an IPsec tunnel for IKE v1 when both palo alto and XG Firewall support IKE v2? Why do you describe the configuration on the old version of palo alto v8 (according to screens) when v8 is already an unsupported version and now supported versions are v9 and v10?
    I recently configured an IPsec tunnel for one customer and I know from my own experience what the current situation is. Your configuration is more than two years old. I'm sorry, but this type of tutorial will not much help partners and users.


  • do you found issue to use IKE v1 and authetication sha 1?

  • Hello,

    I am trying to set a site-2-site IPSEC tunnel between PA440 and SG230. Followed recommendations above except it is not SOPHOS XG ;(  with no luck. Any working example configuration? Please help.

    I kind also agree with Alda, why anybody will use IKE1, SHA1 (should not be used anymore) and PH5 nowadays?