Sophos Firewall: Establish IPsec RBVPN connection between Sophos Firewall and SonicWall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read describes configuring a site-to-site IPsec RBVPN tunnel between the Sophos Firewall and SonicWall firewall using a pre-shared key to authenticate VPN peers.

Product and Environment

Sophos Firewall
SonicWall SonicOS 7.0.0-R906

Prerequisites

You must have read-write permissions for the relevant features on the SFOS web admin and SonicWall web admin.

Network diagram

Configuration

Sophos Firewall

Create IPsec profile

  1. Go to Profiles > IPsec profiles and click Add.
  2. Configure the following:

    Parameter Value
    General settings
    Name Enter a name.
    Ex. XG IPsec Policy
    Key exchange IKEv2
    Authentication mode Main mode
    Key negotiation tries 0
    Re-key connection Turned on
    Phase 1
    Key life 28800
    Re-key margin 360
    Randomize re-keying margin by 100
    DH group (key group) 14 (DH2048)
    Encryption AES256
    Authentication SHA2 512
    Phase 2
    PFS group (DH group) 14 (DH2048)
    Key life 3900
    Encryption AES256
    Authentication SHA2 512
    Dead Peer Detection
    Dead Peer Detection Turned on
    Check peer after every 30
    Wait for response up to 120
    When peer unreachable Re-initiate


  3. Click Save.

Create IPsec connection

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Configure the following:

    Parameter Value
    General settings
    Name Enter a name.
    Ex. XG_to_SonicWall
    IP version IPv4
    Connection type Tunnel interface
    Gateway type Respond only
    Activate on save Turned on
    Create firewall rule Turned on
    Encryption
    Profile Select the IPsec profile you created earlier.
    Ex. XG IPsec Policy
    Authentication type Preshared key
    Preshared key Enter a preshared key.
    Repeat preshared key Repeat the preshared key.
    Gateway settings
    Listening interface Select your WAN port/IP address.
    Ex. PortB – 30.1.1.1
    Local subnet Any
    Gateway address Enter the remote WAN IP address.
    Ex. 30.1.1.2
    Remote subnet Any
    Advanced
    User authentication mode None


  3. Click SaveThe IPsec connection is automatically activated, and an automatic firewall rule is also created.

Configure xfrm interface

  1. Go to Network > Interfaces and edit the xfrm interface that was created.
  2. Configure the following:

    Parameter Value
    IPv4/netmask Enter the IP address and netmask.
    Ex. 4.4.4.4 and /24 (255.255.255.0)

  3. Click Save.

Configure static routing

  1. Go to Routing > Static routes and click Add under IPv4 unicast route section.
  2. Configure the following:

    Parameter Value
    Destination IP / Netmask Enter the remote LAN network IP address and netmask.
    Ex. 192.168.1.0 and /24 (255.255.255.0)
    Interface Select the xfrm interface that was created earlier.
    Ex. xfrm2-4.4.4.4
    Distance 1

  3. Click Save.

SonicWall

Configure the interface

  1. Go to Network > System > Interfaces > X3.
  2. Configure the WAN as 30.1.1.2/24 and turn on Ping.
  3. Go to Network > System > Interfaces > X4.
  4. Configure the LAN as 192.168.1.2/24 and turn on Ping.

Create Address Object

  1. Go to Object > Addresses and click Add.
  2. Configure the remote LAN using the following values and click OK.

    Remote LAN

    Parameter Value
    Name Enter a name.
    Ex. XG_LAN
    Zone Assignment VPN
    Type Network
    Network Enter remote LAN network IP address.
    Ex. 172.16.1.0
    Netmask/Prefix Length Enter local LAN netmask.
    Ex. 255.255.255.0

Turn on VPN

  1. Go to Network > IPsec VPN > Rules and Settings > Settings.
  2. Turn on Enable VPN.
  3. Go to System > Administration > Firewall Name and enter a value in Unique Firewall Identifier.

Create VPN policies

  1. Go to Network > IPsec VPN > Rules and Settings > Policies and click Add.
  2. In the General tab, configure the following:

    Parameter Value
    Security Policy
    Policy Type Tunnel Interface
    Authentication Method IKE using Preshared Secret
    Name Enter a name.
    Ex. Tunnel to XG Firewall
    IPsec Primary Gateway Name or Address Enter the local WAN IP address
    Ex. 30.1.1.1
    IPsec Secondary Gateway Name or Address 0.0.0.0
    IKE Authentication
    Shared Secret Enter the same preshared key configured in Sophos Firewall.
    Confirm Shared Secret Repeat the preshared key.
    Local IKE ID IPv4 Address
    Peer IKE ID IPv4 Address


  3. In the Proposals tab, configure the following:

    Parameter Value
    IKE (Phase 1) Proposal
    Exchange IKEv2 Mode
    DH Group Group 14
    Encryption AES256
    Authentication SHA512
    Life Time (seconds) 26000
    IPsec (Phase 2) Proposal
    Protocol ESP
    Encryption AES256
    Authentication SHA512
    Enable Perfect Forward Secrecy Turned on
    DH Group Group 14
    Life Time (seconds) 3800

    Note: Phase 1 and Phase 2 Life Time are configured with slightly lower values on SonicWall since it is the initiator. This will avoid re-key collisions.

  4. In the Advanced tab, configure the following:

    Parameter Value
    Enable Keep-Alive Turned on
    This setting makes SonicWall the initiator of the IPsec tunnel.
    Enable Windows Networking (NetBIOS) Broadcast Turned on
    WXA Group None
    Default LAN Gateway (optional) 0.0.0.0
    VPN Policy bound to Select your WAN interface.
    Ex. Interface X3
     
  5. Click OK.

Check packet filter rules.

This is automatically added. To verify, go to Policy > Access Rules, click the Matrix icon, and choose VPN to LAN or LAN to VPN.

Configure static routing

  1. Go to Policy > Routing Rules > Add.
  2. Configure the following:

    Parameter Value
    Name Enter a name.
    Ex. to_remote_lan
    Source Any
    Destination Select the remote LAN that you created earlier.
    Ex. XG_LAN
    Service Object Any
    Next hop Standard route
    Interface Select the tunnel that was created earlier.
    Ex. Tunnel to XG Firewall
    Metric 1

Activate the connection

Sophos Firewall

  1. Go to Site-to-site VPN > IPsec.
  2. Click the red button under Connection and click OK to establish the connection.
  3. The button should turn green, indicating that the connection is established.

SonicWall

  1. Go to VPN > Settings > VPN Policies.
  2. Select the connection and click Add.
  3. Make sure the tunnel is enabled in the Policies tab and that it shows under the Active Tunnels tab.

Verification

Run a ping test from the client behind Sophos Firewall to the client behind Sonicwall.

Example:

From the client behind Sophos Firewall, ping 192.168.1.1. These packets should go through the IPsec tunnel. This can be verified by running tcpdump -n esp on the Sophos Firewall console.




Updated "VPN Policy bound to" to include "Select your WAN interface."
[edited by: DominicRemigio at 1:25 AM (GMT -8) on 30 Jan 2024]
  • SonicWall steps above build a Site to Site VPN instead of Tunnel.  This prevents the setting of the routing section and you have a tunnel that is PB on one end and RB on the other. I could partially pass traffic, as I am routing to two networks on each end.  One network was good, the other showed not connected from the SonicWall end.

    To correct this, 

    SonicWall > Create VPN policies, Step 2

    Set Policy Type to Tunnel Interface instead of Site to Site

    Because I’m using Tunnel, instead of Site to Site, there is no Networks tab (SonicWall Step 3)

    Step 5, the Advanced tab, there is no Zone WAN option now because we are using Tunnel.  I selected Interface X1 as that’s my WAN interface.

    Now I can add my static routes because the TUNNEL interface is available to select.

    Another helpful tip - SonicOS changes navigation a lot between SonicOS 6.5 on TZ, SonicOS 6.5 on NSA and SonicOS 7.  It would be nice if Sophos indicated Which SonicOS their steps apply to.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • Thank you for noticing. This has been updated.