Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
Route-based VPNs (RBVPN) are IPsec connections that encrypt and encapsulate all traffic going to the XFRM interface. You can create route-based VPN connections for IPv4 and IPv6 protocols between two Sophos Firewall devices, between Sophos Firewall and a third-party firewall, or with a cloud VPN gateway such as GCP.
GCP Classic VPN supports multiple CIDR blocks for traffic selectors with IKEv2, but it uses a single Child SA for all CIDR blocks. However, Sophos Firewall configured with policy-based VPN does not support multiple CIDR blocks in a single Child SA with IKEv2. Therefore, it is recommended to use route-based VPNs instead of policy-based VPNs to support such a scenario.
This article describes how to configure a Route-based IPsec VPN connection between Sophos Firewall and GCP.
Select Classic VPN and click Continue.
Enter the following details for VPN gateway section:
Rename this cloned IKEv2 profile as GCP_IKEv2. Under Phase 1, deselect other DH groups and only keep 14 (DH2048) DH group selected and save the changes.
Go to Site-to-site VPN > IPsec and click Add under the IPsec connections section to create a new IPsec VPN tunnel.
This will connect the IPsec VPN tunnel and show green status.
Go to CONFIGURE > Network > Interfaces and it will show you the xfrm interface automatically created for this VPN tunnel.
Click the xfrm interface and configure a dummy private IPv4 address that does not overlap with your existing on-premises or GCP-side VPC network.Click Save.
Enter the Destination IP as the network IP address of the GCP-side VPC network with the correct CIDR block selected.Select the xfrm interface from the list of interfaces and click Save.
Configure Destination zones as VPN.Configure and select the IP host network object for the GCP side VPC network as the Destination networks.Optionally, you may turn on authentication and security/scanning features such as AV, IPS, and synchronized security.Click Save.
You can create a similar rule for the inbound traffic with the source and destination zones and networks interchanged compared to the previous rule so that the traffic initiated from the GCP side can successfully communicate with Sophos Firewall local resources.
For any additional queries, please contact firstname.lastname@example.org.