Sophos Firewall: Configure a Site-to-site IPsec VPN connection between Sophos Firewall and UTM using a preshared key

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This recommended read contains the steps to configure a Site-to-site IPsec VPN connection between Sophos Firewall and Sophos UTM using a preshared key as an authentication method for VPN peers.

Product and Environment

Sophos Firewall

Network diagram

Configuring Sophos Firewall

Adding local and remote LAN

  1. Go to Hosts and Services> IP host and select Add to create the local LAN as follows:

    Setting Value
    Name XG_LAN
    IP version IPv4
    Type Network
    IP address 192.10.10.0
    Subnet /24 (255.255.255.0)


  2. Click Save.
  3. Go to Hosts and Services> IP host and select Add to create the remote LAN as follows:

    Setting Value
    Name SG_LAN
    IP version IPv4
    Type Network
    IP address 192.30.30.0
    Subnet /24 (255.255.255.0)


  4. Click Save.

Creating an IPsec profile

  1. Go to Profiles > IPsec profiles and select Add.
  2. Configure as follows:

    NoteThe policies indicated here are just for illustration purposes. The administrator can choose a more secure policy according to their requirements.

    Setting Value
    General settings
    Name XG_to_SG
    Key exchange IKEv1
    Authentication mode Main mode
    Key negotiation tries 3
    Re-key connection Turned on
    Pass data in compressed format Turned off
    SHA2 with 96-bit truncation Turned off
    Phase 1
    Key life 28800
    Re-key margin 120
    Randomize re-keying margin by 0
    DH group (key group) 14 (DH2048)
    Encryption AES256
    Authentication SHA256
    Phase 2
    PFS group (DH group) Same as phase-I
    Key life 3600
    Encryption AES256
    Authentication SHA256
    Dead Peer Detection
    Dead Peer Detection Turned on
    Check peer after every 30
    Wait for response up to 120
    When peer unreachable Re-initiate


  3. Click Save.

Creating an IPsec VPN connection

  1. Go to Site-to-site VPN > IPsec.
  2. Under IPsec connections, click Add.
  3. Configure as follows:

    Setting Value
    General settings
    Name XG_to_SG
    IP version IPv4
    Connection type Site-to-site
    Gateway type Respond only
    Activate on save Turned on
    Create firewall rule Turned off
    Encryption
    Profile XG_to_SG
    Authentication type Preshared key
    Preshared key Enter a pre-shared key.
    Repeat preshared key Repeat the preshared key.
    Gateway settings
    Listening interface Port2 - 172.10.10.1
    Local subnet XG_LAN
    Gateway address 172.30.30.1
    Remote subnet SG_LAN


  4. Click Save.
  5. You should see that the IPsec connection is activated, as shown below. You can also activate it manually by clicking the icon under the Active column.

Add two firewall rules allowing VPN traffic

  1. Go to Rules and Policies> Firewall rules and select Ipv4.
  2. Click Add firewall rule > New firewall rule.
  3. Configure two firewall rules as follows:

    Setting Firewall rule 1 Firewall rule 2
    Rule name Outbound_VPN_Traffic Inbound_VPN_Traffic
    Action Accept Accept
    Rule position Top Top
    Rule Group None None
    Log firewall traffic Turned on Turned on
    Source zones LAN VPN
    Source networks and devices XG_LAN SG_LAN
    During scheduled time All the time All the time
    Destination zones VPN LAN
    Destination networks SG_LAN XG_LAN
    Services Any Any


  4. Click Save on both firewall rules.

Configuring Sophos UTM

Add network definitions

  1. Go to Definitions & Users Network Definitions.
  2. Select Network Definitions and click New Network Definition.
  3. Configure as follows:

    Setting Value
    Name SG_LAN
    Type Network
    IPv4 address 192.30.30.0
    Netmask /24 (255.255.255.0)


  4. Click Save.
  5. Create another network definition as follows:

    Setting Value
    Name XG_LAN
    Type Network
    IPv4 address 192.10.10.0
    Netmask /24 (255.255.255.0)


  6. Click Save.
  7. Create another network definition as follows:

    Setting Value
    Name Sophos_Firewall
    Type Host
    IPv4 address 172.10.10.0


  8. Click Save.

Creating an IPsec VPN connection

  1. Go to Site-to-site VPN > IPsec > Policies and click New IPsec Policy.
  2. Configure as follows:

    Note: Ensure that the settings match the custom policy on Sophos Firewall. The policies indicated here are just for illustration purposes. The administrator can choose a more secure policy according to their requirements.

    Setting Value
    Name SG_to_XG
    IKE encryption algorithm AES 256
    IKE authentication algorithm SHA2 256
    IKE SA lifetime 28800
    IKE DH group Group 14: MODP 2048
    IPsec encryption algorithm AES 256
    IPsec authentication algorithm SHA2 256
    IPsec SA lifetime 3600
    IPsec PFS group Group 14: MODP 2048
    Strict policy Turned off
    Compression Turned off


  3. Click Save.
  4. Go to Site-to-site VPN IPsec Remote Gateways and click New Remote Gateway.
  5. Configure as follows:

    Setting Value
    Name IPsec_to_XG
    Gateway type Initiate connection
    Gateway Sophos_Firewall
    Authentication type Preshared key
    Key

    Enter a pre-shared key.

    Note: Ensure to use the same preshared key configured on Sophos Firewall.

    Repeat Repeat the preshared key.
    VPN ID type IP address
    Remote networks XG_LAN


  6. Click Save.
  7. Go to Site-to-site VPN IPsec > Connections and click New IPsec Connection.
  8. Configure as follows:

    Setting Value
    Name SG_to_XG
    Remote gateway IPsec_to_XG
    Local interface External (WAN)
    Policy SG_to_XG
    Local Networks SG_LAN
    Automatic firewall rules Turned on
    Strict routing Turned off
    Bind tunnel to local interface Turned off


  9. Click Save.
  10. You should see the following IPsec connection. Ensure to turn on the connection.

Establishing the IPsec connection

The IPsec connection should be established automatically. From Sophos UTM, verify that IPsec SA is established in Site-to-site VPN.

From Sophos Firewall, verify the connection in VPN > IPsec connections. The icon under the Connection column should be green.

Result

A ping test must work from a device behind Sophos Firewall to a device behind Sophos UTM and vice versa.


From Sophos Firewall, go to Rules and Policies> Firewall rules and verify that the VPN rules allow ingress and egress traffic.

View the existing connections in Current activities > IPsec connections.

Verify the IPsec usage in Reports > VPN.

Click the connection name for details.

Note:

  • Sophos UTM does not support IKEv2.
  • Ensure that VPN firewall rules are on top of the firewall rule list.
  • In a head and branch office configuration, Sophos Firewall on the branch office usually acts as the tunnel initiator, and Sophos Firewall on the head office acts as a responder due to the following reasons:
     
    • The head office device cannot start the connection if the branch office device is configured with a dynamic IP address.
    • As the number varies for the branch offices, it is recommended that each branch office retries the connection instead of the head office retrying all connections to the branch offices.

Related information



Revamped RR Corrected Grammar & Font Size Added Horizontal Lines
[edited by: Erick Jan at 2:29 PM (GMT -7) on 28 Sep 2023]
  • Hi Dominic,

    thanks for the article.

    When i go through your articel and enable DPD on the XG Policy, i can not choose this Policy when i set the XG to "Respond Only".

    Can you choose the Policy although DPD is enabled ?

  • High Andreas,

    i dont think that DPD is necesserary on the xgs because of the responding mode. I have one xgs directly connected to the internet. This is the only firewall that recognizes pmtu pakets (icmp type 3 code 4  i think). Allowed by firewall-rule. On the utm there is a firewallrule but no pakets are recognized. Only if you turn on mtu discoevry on the XGS Gateway of the utm. That seems strange to me. But it seems to work.

    Greetings thanks a lot for your efforts.

    Piddae