Sophos Firewall: Connect Cloudflare Magic WAN and Sophos Firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read describes how to connect Cloudflare Magic WAN and Sophos Firewall via route-based VPN (RBVPN) IPsec and GRE tunnel connections.

Note: Only RBVPN IPsec connection using IPv4 is supported. IPv6 traffic selectors aren’t supported on Cloudflare.

Sophos form factor tested

  • Sophos Firewall  hardware
  • Sophos Firewall virtual appliance on VMware

Sophos software versions tested

  • SFOS Version 19.0 MR2-Build 472
  • SFOS Version 19.5.1 MR1-Build 278

Overview of Magic WAN

Magic WAN provides secure, performant connectivity and routing for your entire corporate network, reducing cost and operational complexity. Magic Firewall integrates smoothly with Magic WAN, enabling you to enforce network firewall policies at the edge, across traffic from any entity within your network.

With Magic WAN, you can securely connect any traffic source, such as data centers, offices, devices, and cloud properties, to Cloudflare’s network and configure routing policies to get the bits where they need to go, all within one SaaS solution.

Magic WAN supports a variety of on-ramps, including Anycast GRE or IPsec tunnels, Cloudflare Network Interconnect, Cloudflare Tunnel, WARP, and a variety of Network On-ramp Partners.

Deployment options

  • Single tunnel.
  • High-availability tunnels.
  • Cloudflare as the default route for all traffic.
  • Route internet traffic through the Cloudflare SASE platform.
  • Route geo-located intranet traffic through the Cloudflare SASE platform.

Cloudflare options for GRE and IPsec tunnels (all parameters)

IPsec

Compatible parameters
IPsec phase 1 Encryption:
  • AES-GCM-16 with 128-bit or 256-bit key length
  • AES-CBC with 256-bit key length

Integrity (Authentication):

  • SHA2-256

Diffie-Hellman group:

  • DH group 1 (768-bit MODP group)
  • DH group 2 (1024-bit MODP group)
  • DH group 5 (1536-bit MODP group)
  • DH group 14 (2048-bit MODP group)

Pseudorandom function (PRF):

  • SHA2-256
  • SHA2-384
  • SHA2-512
IPsec phase 2

Encryption:

  • AES-GCM-16 with 128-bit or 256-bit key length
  • AES-CBC with 256-bit key length

Integrity (Authentication):

  • SHA2-256
  • SHA-1

PFS group (Phase 2 Diffie-Hellman Group):

  • DH group 1 (768-bit MODP group)
  • DH group 2 (1024-bit MODP group)
  • DH group 5 (1536-bit MODP group)
  • DH group 14 (2048-bit MODP group)
Other required IPsec parameters
  • Internet Key Exchange version 2 (IKEv2)
  • PSK authentication (Preshared key)
  • Disable anti-replay protection
Optional IPsec parameters
  • 4-hour rekey time
  • Null encryption: Don’t use this option unless it’s necessary. It lowers security because IPsec traffic won’t be encrypted. You must explicitly opt-in to use this option.
  • NAT-T support

Steps

  1. Sign in to Cloudflare.
  2. From the main Navigation Tree, find Magic WAN.

    Note: If Magic WAN isn’t present in the menu, it may mean your account does not have the required entitlements yet, or the account you’ve signed in does not have the correct privileges.

  3. Select Manage Magic WAN configuration from the main view:



  4. Select the Tunnels tab and click +Create.



  5. Select IPsec tunnel and click Next.


  6. To configure your first IPsec tunnel, you need the following information:

    Interface address: A 31-bit subnet (/31 in CIDR notation) supporting two hosts must be specified as the Interface address from the following private IP address space:

    • 10.0.0.0–10.255.255.255
    • 172.16.0.0–172.31.255.255
    • 192.168.0.0–192.168.255.255
    • 169.254.244.0/20

    Customer endpointThis subnet represents each side of the configured tunnel’s Customer endpoint (an available static IP address from your ISP).

    Cloudflare endpoint: One of the 2 Anycast IP addresses your Cloudflare account team provided to you.

    Preshared key (PSK): An alphanumeric string used to authenticate the site-to-site IPsec VPN. As a security best practice, we recommend generating a strong PSK with over 32 characters.

    An example of a configured tunnel is as follows:



    You can add additional tunnels using the same or the second Anycast IP address provided by your Cloudflare account team.

  7. Static route configuration is required for the Cloudflare network to route outbound traffic between your configured Magic WAN sites, consisting of branch offices, data centers, or cloud locations. For an example, see the diagram below:

    Select the Static Routes tab from the Magic WAN UI and click +Create to add a static route configuration for the tunnels you created in step 6.




  8. Add a static route for the LAN segments you want users to access through the configured tunnel. Enter a description, the LAN subnet in CIDR format, and select a tunnel for the next hop. See the following example:



    (Optional) You can enter the Priority (default: 100), Weight, and Region code for each route.

    Priority influences how traffic is routed to the customer network from Cloudflare. A lower value has higher priority.

    You can use the weight to send a certain amount of traffic over one tunnel rather than over another. For example, if you have two tunnels, a weight of 2 will send twice as much traffic through one tunnel versus the other. You may prefer this if one ISP connection has more bandwidth than the other.

  9. Add any other applicable static routes for LAN segments on your network.

    Note: You must configure a route on Sophos Firewall. We recommend using SD-WAN routes to ensure tunnel health checks can route back to Cloudflare through the public internet rather than the tunnel.

  10. For detailed information and configuration help, see Cloudflare Magic WAN.

GRE

Steps

  1. Sign in to Cloudflare.
  2. From the main Navigation Tree, find Magic WAN.

    Note: If Magic WAN isn’t present in the menu, it may mean your account does not yet have the required entitlements or the account you’re signing in does not have the correct privileges.

  3. Select Manage Magic WAN configuration from the main view:



  4. Select the Tunnels tab and click +Create.



  5. Select GRE tunnel and click Next.



  6. To configure your first GRE tunnel, you need the following information:

    Interface address: A 31-bit subnet (/31 in CIDR notation) supporting two hosts must be specified as the Interface address from the following private IP address space:

    • 10.0.0.0–10.255.255.255
    • 172.16.0.0–172.31.255.255
    • 192.168.0.0–192.168.255.255
    • 169.254.244.0/20

    Customer endpoint: This subnet represents each side of the configured tunnel’s Customer endpoint (an available static IP address from your ISP).

    Cloudflare Endpoint: One of the 2 Anycast IP addresses your Cloudflare account team provided to you.

    An example of a configured tunnel is as follows:



    You can add additional tunnels using the same or the second Anycast IP address provided by your Cloudflare account team.

  7. Static route configuration is required for the Cloudflare network to route outbound traffic between your configured Magic WAN sites, consisting of branch offices, data centers, or cloud locations. For an example, see the diagram below:

    Select the Static Routes tab from the Magic WAN UI and click +Create to add a static route configuration for the tunnels you created in step 6.




  8. Add a static route for the LAN segments you want users to access through the configured tunnel. Enter a description, the LAN subnet in CIDR format, and select a tunnel for the next hop. See the following example:



    (Optional) You can enter the Priority (default: 100), Weight, and Region code for each route.

    Priority influences how traffic is routed to the customer network from Cloudflare. A lower value has higher priority.

    You can use the weight to send a certain amount of traffic over one tunnel rather than over another. For example, if you have two tunnels, a weight of 2 will send twice as much traffic through one tunnel versus another. You may prefer this if one ISP connection has more bandwidth than the other.

  9. Add any other applicable static routes for LAN segments on your network.

    Note: You must configure a route on Sophos Firewall. We recommend using SD-WAN routes to ensure tunnel health checks can route back to Cloudflare through the public internet rather than the tunnel.

  10. For detailed information and configuration help, see Cloudflare Magic WAN.

Sophos Firewall options for GRE and IPsec tunnels (all parameters)

IPsec

  1. Add an IPsec Profile:
    1. Go to Profiles > IPsec profiles.
    2. Click Add.
    3. In the General settings, configure as follows:
      1. Name: Give your profile a descriptive name.
      2. Key exchange: IKEv2
      3. Authentication mode: Main mode
    4. In Phase 1, configure as follows:
      1. DH group (key group): 14(DH2048)
      2. Encryption: AES256
      3. Authentication: SHA2 256
    5. In Phase 2, configure as follows:
      1. PFS group (DH group): Same as phase-1
      2. Key life: 3600
      3. Encryption: AES256
      4. Authentication: SHA2 256
    6. In Dead Peer Detection, configure as follows:
      1. Dead Peer Detection: Selected
      2. When peer unreachable: Re-initiate
    7. Click Save.

      Example:



      For more details about Cloudflare-supported parameters, see Cloudflare: Set up IPSec tunnels.

  2. Create IPsec connection tunnel:
    1. Go to Site-to-site VPN > IPsec.
    2. In IPsec connections, click Add.
    3. In General settings, configure as follows:
      1. Name: Give your site-to-site VPN a descriptive name.
      2. Connection type: Tunnel interface
      3. Gateway type: Initiate the connection
    4. In Encryption, configure as follows:
      1. Authentication type: Preshared key
    5. In Gateway settings, configure as follows:
      1. Gateway address: Your Cloudflare anycast IP address is provided by Cloudflare.

      Example:



      After setting up your IPsec VPN tunnel, it’ll appear on the IPsec connections list with an Active status.



  3. Assign the xfrm interface address:

    You must use an interface address from the /31 subnet required to configure tunnel endpoints on Magic WAN. See Cloudflare: Configure tunnel endpoints.

    1. Go to Network > Interfaces.
    2. Select the corresponding interface to the IPsec tunnel you created in step 2. Then, edit it to assign an address from the /31 subnet required to configure tunnel endpoints. See Cloudflare: Configure tunnel endpoints.



  4. Add firewall rule:

    Create a firewall rule with your organization's criteria and security policies that allows traffic to flow between Sophos Firewall and Magic WAN.

    1. Go to Rules and Policies> Firewall rules.
    2. Click IPv4, then Add firewall rule > New firewall rule.

      Example:



  5. Turn off IPsec anti-replay on Sophos Firewall:

    You’ll have to turn off IPsec Anti-Replay on your Sophos Firewall. Changing the anti-replay settings restarts the IPsec service, which causes tunnel-flap for all IPsec tunnels. This will also turn off IPsec anti-replay protection for all VPN connections globally. Plan these changes accordingly.

    Configure according to the SFOS version you’re using:

    SFOS 19.0 MR2-Build 472 or 19.5 MR1-Build278 or later versions

    1. Sign in to the CLI.
    2. Enter 4 for the Device console.
    3. Run the following command:

      set vpn ipsec-performance-setting anti-replay window-size 0



    Older SFOS versions

    Contact
    Sophos Support.

GRE

  1. Configure a GRE tunnel between Sophos Firewall and the Cloudflare Anycast IP address:
    1. Sign in to the CLI.
    2. Enter 4 for the Device console.
    3. Run the following command:

      Syntax:

      system gre tunnel add name <NAME_OF_YOUR_GRE_TUNNEL> local-gw <WAN_PORT> remote-gw <REMOTE_GATEWAY_IP_ADDRESS> local-ip <LOCAL_IP_ADDRESS> remote-ip <REMOTE_IP_ADDRESS>



      For more information, see Sophos Firewall: Configure a GRE tunnel.

  2. Add a GRE or SD-WAN route to redirect traffic through the GRE tunnel. See Traffic redirection mechanism on Sophos Firewall.
  3. Add a firewall rule for LAN/DMZ to VPN:

    Create a firewall rule with the criteria and security policies of your organization that allows traffic to flow between
    Sophos Firewall and Magic WAN. This firewall rule should have the required networks and services.

    1. Go to Rules and Policies> Firewall rules.
    2. Click IPv4, then Add firewall rule > New firewall rule.

      Example:



Traffic redirection mechanism on Sophos Firewall

To redirect traffic, add a static or SD-WAN route.

IPsec

Static route

  1. Go to Routing > Static routes to add an xfrm interface-based route.

    The interface will be automatically created when you set up a tunnel interface (RBVPN) IPsec connection, such as the Cloudflare_MWAN
     from the example above.

    Example:



SD-WAN route

  1. Go to Routing > Gateways to create a custom gateway on the xfrm interface.

    The interface will be automatically created when you set up a tunnel interface (RBVPN) IPsec connection, such as the Cloudflare_MWAN from the example above.

    Example:



  2. Go to Routing > SD-WAN routes.
  3. Click IPv4, then click Add to add the desired networks and services in the route to redirect traffic to Cloudflare.
  4. Configure the following settings:
    1. Name: Enter a descriptive name for your connection.
    2. Incoming interface: Select the incoming interface.
    3. Source networks: Configure the source networks.
    4. Primary and Backup gateways: Selected
    5. Primary gateway: Select the primary gateway.


GRE

Add a GRE or SD-WAN route or both.

GRE route

  1. Sign in to the CLI.
  2. Enter 4 for Device console.
  3. Add the route by running the following command:

    Syntax:

    system gre route add net <network/subnet> tunnelname <tunnel name>

    Example:

SD-WAN route

  1. Go to Routing > SD-WAN routes.
  2. Add a custom gateway on GRE with the peer IP address (from the /31 subnet you chose earlier) as the gateway IP address and turn off the health check.

    Example:



  3. Go to Routing > SD-WAN routes.
  4. Click IPv4, then click Add to add the desired networks and services in the route to redirect traffic to Cloudflare.
  5. Configure the following settings:
    1. Name: Enter a descriptive name for your connection.
    2. Incoming interface: Select the incoming interface.
    3. Source networks: Configure the source networks.
    4. Primary and Backup gateways: Selected
    5. Primary gateway: Select the primary gateway.

      Example:


Verification of tunnel status on Cloudflare dashboard

You can check if your tunnels are healthy on the Cloudflare dashboard.

  1. Sign in to Cloudflare, and choose your account.
  2. Go to Magic WAN > Tunnel health, and select View.

    This dashboard shows the global view of tunnel health as measured from all Cloudflare locations. If the tunnels are healthy on your side, you’ll see most of the co-locations in “up” status. It’s normal for a subset of these locations to show tunnel status as degraded or unhealthy since the internet isn’t homogenous. Intermediary path issues between Cloudflare and your network can cause interruptions for specific paths.



To make Cloudflare health checks work:

  1. The ICMP probe packet from Cloudflare must be an "ICMP request" type with anycast source IP. In the following example, we've used 172.64.240.252 as a target:

    Note: Consult the Cloudflare account/support team to make these changes for your account.


    curl --request PUT \
      --url api.cloudflare.com/.../<account_identifier>/magic/ipsec_tunnels/<tunnel_identifier> \
      --header 'Content-Type: application/json' \
      --header 'X-Auth-Email: <YOUR_EMAIL> ' \
      --data '{
        "health_check": {
        "enabled":true,
        "target":"172.64.240.252",
        "type":"request",
        "rate":"mid"
      }
    }'


  2. Go to Network > Interfaces > Add alias. Add the IP address provided by Cloudflare for the ICMP probe traffic. This is needed to prevent Sophos Firewall from dropping them as spoof packets. This isn’t the same IP used to create a VPN. This is the special IP address for probe traffic only.



  3. ICMP reply from Sophos Firewall should go back through the same tunnel on which the probe packets are received. You’ll need to create an additional SD-WAN policy route.

    Example:



    The packet flow will look like the following:

    SF01V_SO01_SFOS 19.5.0 GA-Build197# tcpdump -nn proto 1 
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode 
    listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes 
     
    13:09:55.500453 xfrm1, IN: IP 172.70.51.31 >172.64.240.252: ICMP echo request, id 33504, seq 0, length 64 
    13:09:55.500480 xfrm1, OUT: IP 172.64.240.252 >172.70.51.31: ICMP echo reply, id 33504, seq 0, length 64 
     
    13:09:55.504669 xfrm1, IN: IP 172.71.29.66 >172.64.240.252: ICMP echo request, id 60828, seq 0, length 64 
    13:09:55.504695 xfrm1, OUT: IP 172.64.240.252 >172.71.29.66: ICMP echo reply, id 60828, seq 0, length 64

Verification of tunnel status on Sophos Firewall dashboard

IPsec

The tunnel status is green.



The corresponding XFRM interface shows a Connected status.

GRE

Status is Enabled.


Troubleshooting

  1. The tunnel shows connected status at both ends, but the tunnel isn't established. Check if the IPsec profile configuration is correct.
  2. Make sure the corresponding tunnel interfaces are up.
  3. Make sure routing configuration and route precedence are correctly set on SFOS.
  4. Make sure a static back route is added on Cloudflare.
  5. Make that the IPsec Gateway type of Sophos Firewall is set to Initiate the connection. When the connection is initiated from Sophos Firewall, Cloudflare responds. But if the Gateway type on Sophos Firewall is set to Respond only, there's no mechanism from Cloudflare to initiate the connection.
  6. Firewall rules for specific zones and hosts or services must be added in SFOS. GRE and IPsec belong to the VPN zone.
  7. Run tcpdump to see if packets are going through the VPN or GRE tunnel as expected.
  8. Run a packet capture on Cloudflare to see if traffic reaches the platform.

Related information

Cloudflare: Sophos Firewall




Revamped RR Corrected Grammar Added Horizontal Lines
[edited by: Erick Jan at 4:26 PM (GMT -7) on 26 Sep 2023]