Sophos Firewall: Configure IPsec connection between Sophos Firewall and Cisco ASA

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This article describes how to configure an IPSec connection between Sophos Firewall and Cisco ASA.

Product and Environment

Sophos Firewall

Configure Sophos Firewall

  1. Sign in to the web admin.
  2. Go to Profiles > IPsec profiles and click Add.
  3. Configure the following:

    Parameter Value
    General settings
    Name Enter a name.
    Ex. Cisco_IKEv2
    Key exchange IKEv2
    Authentication mode Main mode
    Key negotiation tries 0
    Re-key connection Turned on
    Pass data in compressed format Turned off
    Note: This is the recommmended setting for third-prty vendor connections.
    SHA2 with 96-bit truncation Turned off
    Phase 1
    Key life 84000
    Re-key margin 120
    Randomize re-keying margin by 0
    DH group (key group) 2 (DH1024)
    Encryption AES256
    Authentication SHA1
    Phase 2
    PFS group (DH group) None
    Note: Only turn it on if it is also used in Cisco ASA.
    Key life 28000
    Encryption AES256
    Authentication SHA1
    Dead Peer Detection
    Dead Peer Detection Turned on
    Check peer after every 30
    Wait for response up to 120
    When peer unreachable Re-initiate

    Note: You can configure your own values but make sure that the IPsec profiles in Sophos Firewall and Cisco ASA are matching.

  4. Click Save.
  5. Go to Site-to-site VPN > IPsec > IPsec connections and click Add.
  6. Configure the following:

    Parameter Value
    General settings
    Name Enter a name.
    Ex. Cisco
    IP version IPv4
    Activate on save Turned on
    Create firewall rule Turned on
    Connection type Site-to-site
    Gateway type Initiate the connection
    Encryption
    Profile The IPsec profile that was created earlier.
    Ex. Cisco_IKEv2
    Authentication type Preshared key
    Preshared key Enter a preshred key.
    Repeat preshared key Repeat the preshared key.
    Gateway settings
    Listening interface Sophos Firewall's WAN interface.
    Local subnet

    Local hosts or subnets to which you want to provide VPN access.

    For tunnel interfaces, you can add the traffic selectors only if you have set the IP version to IPv4 or IPv6. Additionally, you must either select Any or specific traffic selectors for both local and remote subnets. You cannot select Any for one and a specific traffic selector for the other.

    Gateway address

    Cisco ASA's WAN IP address.

    Remote subnet

    Remote hosts or subnets to which you want to provide VPN access.

    For tunnel interfaces, you can add the traffic selectors only if you've set the IP version to IPv4 or IPv6. Additionally, you must either select Any or specific traffic selectors for both local and remote subnets. You can't select Any for one and a specific traffic selector for the other.

    Network Address Translation (NAT)

    Turned off


  7. Click Save.

Configure Cisco ASA

Refer to Cisco's product documentation for the configuration.

Note:

  • Make sure that the IPsec profile phase 1 and phase 2 configurations are matching with Sophos Firewall's configuration.
  • Make sure that there is no PFS turned on. If PFS is used in Sophos Firewall, then it must be turned on in Cisco ASA as well.
  • If Sophos Firewall is configured as the initiator, it is recommended to configure Cisco ASA as the responder, and the equivalent Cisco configuration for Re-key connection should be turned off.
  • In the example above, Sophos Firewall phase 1 and phase 2 Key life are configured to 84000/28000 respectively. It is recommended to configure a 1-hour higher Key life on Cisco ASA for phase 1 and phase 2, that is 87600/31600 respectively. Configuring higher phase 1 and phase 2 values on Cisco ASA allows the initiator, which is Sophos Firewall in this example, to always re-key the existing connection. This will also avoid re-key collisions between Sophos Firewall and Cisco ASA.
  • Since Cisco does not support wildcard remote gateways in combination with PSK, you need to configure Sophos Firewall's WAN IP address on Cisco ASA.

Related information




Horizontal Lines
[edited by: emmosophos at 8:51 PM (GMT -8) on 21 Dec 2023]