Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Establish IPsec connection between Sophos Firewall and Palo Alto

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This recommended read describes how to set up a site-to-site IPsec VPN connection between a Sophos Firewall and a Palo Alto firewall using a pre-shared key to authenticate VPN peers.

This applies to the following Sophos products and versions
Sophos Firewall

Prerequisites

  • You must have read-write permissions for the relevant features on the SFOS Admin Console and the Palo Alto web Admin Console.
  • Palo Alto firewall must have at least two interfaces in Layer 3 mode.

Network diagram

Configuration

Palo Alto Firewall

Create tunnel interface

  1. Go to Network > Interface > Tunnel and click Add.
  2. Enter the Interface Name.
  3. Select the existing Virtual Router.
  4. For the Security Zone, select layer 3 as the internal zone from which traffic will originate.



Configure IKE Gateway: Phase 1 parameters

  1. Go to Network Profiles > IKE Crypto > PA_IKE Crypto.
  2. In the IKE Crypto Profile, add group5 to DH Group, aes-256-cbc to Encryption, and sha1 to Authentication.
  3. Enter Seconds in Key Lifetime and 28800 as Lifetime.
  4. Set IKEv2 Authentication Multiple to 0.



  5. Click OK.

To add the PA_IKE_Crypto profile to IKE gateway:

  1. Go to Network > IKE Gateway > General and create a new gateway.
  2. Enter Name.
  3. Set Version to IKEv1 only mode.
  4. Set Address Type to IPv4.
  5. Set Interface to ethernet1/2, and Local IP Address to 10.198.66.86.
  6. Set Peer IP Type to Static.
  7. For Peer IP Address, enter 10.198.67.249.
  8. Set Authentication to Pre-Shared Key.
  9. Click OK.



  10. Go to Network > IKE Gateway > Advanced Options.
  11. Under Common Options, select Enable Passive Mode, since Palo Alto will act as the responder for the IPsec connection.
  12. Under IKEv1, set Exchange Mode to main, and IKE Crypto Profile to PA_IKE_Crypto, which you have created.
  13. Select Dead Peer Detection. Set Interval and Retry to 5.
  14. Click OK.

Configure IPsec Phase 2 parameters

  1. Go to Network > IPsec Crypto and create a profile.
  2. Enter Name.
  3. Set IPSec Protocol to ESP, and DH Group to no-pfs.
  4. Add aes-256-cbc and aes-256-gcm to Encryption.
  5. Add sha1 to Authentication.
  6. Set Lifetime to Hours and enter 1.
  7. Click OK.



Define Monitor Profile

  1. Go to Network Profile > Monitor Profile.
  2. Enter Name.
  3. Set Action to Wait Recover.
  4. Enter the following values:
    • Interval (sec): 3
    • Threshold: 5



  5. Click OK.

Configure IPsec VPN Tunnel

  1. Go to Network > IPSec Tunnel > General.
  2. Enter Name.
  3. Select the Tunnel Interface that was created in Create tunnel interface.
  4. Set Type to Auto Key and Address Type to IPv4.
  5. Set IKE Gateway to PA_IKE and IPSec Crypto Profile to PA_IPSEC_Crypto, which was created.
  6. Select Show Advanced Options and Enable Replay Protection.
  7. Click OK.



    To Add Proxy ID:

    Go to Network > IPSec Tunnel > Proxy IDs and configure the local and remote subnets for Head Office (HO) and Branch Office (BO).

Create a route for VPN traffic

  1. Go to Virtual Router > Static Route > IPv4.
  2. Enter Name.
  3. For Destination, enter 172.16.16.0/24.
  4. Set Interface to tunnel.1, and Next Hop to None.
  5. For Metric, enter 10.
  6. Set Route Table to Unicast.
  7. Click OK.



  8. Add tunnel interface in Virtual Router.


Create a firewall rule to allow VPN traffic

  1. Go to Policies > Security and create a firewall rule.



Sophos Firewall

Create IPsec VPN Policy for Phase 1 and Phase 2

  1. Go to Configure > VPN > IPsec policies and click Add./ For Version 19.Go to System>Profile>IPsec Profiles>and click Add
  2. Enter Name.
  3. Set Key exchange to IKEv1 and Authentication mode to Main mode.
  4. Set Key negotiation tries to 0.
  5. Select Re-key connection.
  6. Under Phase 1, set Key life to 28800, Re-key margin to 120, and Randomize re-keying margin to 100.
  7. Set the DH group (key group) to 5 (DH1536).
  8. Set Encryption to AES256 and Authentication to SHA1.


  9. Under Phase 2, set PFS group (DH group) to Same as phase-I, and Key life to 3600.
  10. Set Encryption to AES256 and Authentication to SHA1.
  11. Under Dead Peer Detection, set Check peer after every to 30 seconds and Wait for response up to as 120 seconds.
  12. Set When peer unreachable to Re-initiate.
  13. Click Save.
  14. You have created the following IPsec VPN policy.



Configure IPsec connection

  1. Go to Configure > VPN > IPsec connections and click Add./For Version 19. Go to Configure >Site-to-Site VPN>IPsec and click Add
  2. Under General settings, enter Name.
  3. For IP version, select IPv4.
  4. Select Activate on save and Create firewall rule.
  5. Set Connection type to Site-to-site and Gateway type to Initiate the connection.
  6. Under Encryption, set Policy to XG IPsec Policy, which you have created.
  7. Set Authentication type to Preshared key. Enter and repeat the Preshared key.



  8. Under Gateway settings > Local gateway, set Listening interface to PortB – 10.198.67.249 and Local ID type to Select local ID.
  9. Under Local subnet, add the XG_Network.
  10. Under Remote gateway, set Gateway address to 10.198.66.86 and Remote ID type to Select remote ID.
  11. Under Remote subnet, add the Palo_Alto Network.
  12. Click Save.



  13. The IPsec connection is automatically activated and an automatic firewall rule is also created.


Activate IPsec connection

  1. Go to Configure > VPN > IPsec connections.
  2. Under Status, click the   under Connection to establish the connection.

Sign up for the Sophos Support Notification Service for the latest product release information and critical issues.




Added TAGs
[edited by: Raphael Alganes at 5:31 AM (GMT -7) on 17 Sep 2024]
Parents
  • Hello DominicRemigio,

    why are you describing the configuration of an IPsec tunnel for IKE v1 when both palo alto and XG Firewall support IKE v2? Why do you describe the configuration on the old version of palo alto v8 (according to screens) when v8 is already an unsupported version and now supported versions are v9 and v10?
    I recently configured an IPsec tunnel for one customer and I know from my own experience what the current situation is. Your configuration is more than two years old. I'm sorry, but this type of tutorial will not much help partners and users.

    alda

Reply
  • Hello DominicRemigio,

    why are you describing the configuration of an IPsec tunnel for IKE v1 when both palo alto and XG Firewall support IKE v2? Why do you describe the configuration on the old version of palo alto v8 (according to screens) when v8 is already an unsupported version and now supported versions are v9 and v10?
    I recently configured an IPsec tunnel for one customer and I know from my own experience what the current situation is. Your configuration is more than two years old. I'm sorry, but this type of tutorial will not much help partners and users.

    alda

Children
No Data