Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Policy-Based IPsec with Oracle Cloud Infrastructure(OCI)

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Note: The following KB is an updated version of the Sophos Firewall and Oracle Cloud Infrastructure (OCI) policy-based IPsec


This Recommended Read describe on how to configure Sophos Firewall with Oracle Cloud Infrastructure VCN.

Network Diagram

Oracle Cloud Infrastructure (OCI)

Is a platform of cloud services that enable you to build and run a wide range of application in a highly-available. For more reference see link

In OCI, IPsec Tunnel is compose of three objects

  1. Dynamic Routing Gateway ( DRG)
  2. Customer-Premise Equipment ( CPE)
  3. IPsec Connection



In the console, go to Main menu>Network>Virtual Cloud Network> Create VCN

Select Compartment and insert IPv4 CIDR Blocks. For the following example we use 

To create a virtual Cloud Network. In Networking> Virtual Cloud Networks> Virtual Cloud Network Details

Create Subnet

In Networking>Virtual Cloud Networks>Virtual Cloud Network>Click Create Subnet

VM Instances

VM Instances

Go to Networking>Virtual Cloud Network> Virtual Cloud Network> Create Internet Gateways

Routing Tables

Configure the following  

  • Target Type: Internet Gateway
  • Destination CIDR Block:
  • Target;internetGW

Security List

To modify security and enable ICMP for testing.

Under Networking>Virtual Cloud Network>LAB> Security List Details

Dynamic Routing Gateways

Go To Networking>Customer Connectivity>Dynamic Routing Gateways

Customer-Premises Equipment( CPE)

Create CPE with ISP Address

IPsec Connection

To create a VPN, go to Networking>Customer Connectivity>Site-to-site VPN and input all the necessary information

  • CPE
  • IKE Version
  • Oracle IKE Initiation
  • DPD
  • Phase one & Phase two Configuration

Follow the screenshot for more details.

Sophos Firewall Configuration

Version 20 firmware version are used for the example. For Site-to-site VPN. kindly Go to

Configure>Site-to-site VPN

Ipsec Policies

Click Add button and define the Phase one and Phase two as noted below

Phase 1

  • mode: main
  • Allow re-keying
  • dh group: 14
  • lifetime:28800
  • encryption aes-256
  • authentication:sha2 256

Phase 2

  • pfs group: 14
  • encryption: aes 256
  • authentication: sha1
  • keylife time: 3600

Note: Sophos will give a warning about using sha1.

Oracle Documentation states to use Sha1-96

Additional Encryption

Notes/Optional: Sometime vendors add support for additional encryption types before updating their documentation.

I've added a second set of encryption/Authentication to phase two settings, hoping this is the case with Oracle

  • Aes256/sha2 256

In Sophos Firewall, go to VPN> IPsec Connections

  • Add new connection
  • Type: site-to-site 
  • mode type: initiate
  • Policy: the one created above
  • Shared Secret: Defined for the primary tunnel
  • Listening Interface: This should match the WAN IP, the Oracle CPE and IPsec IKE, CPE identifier configured to received the tunnel from
  • Gateway Address: WAN IP of the primary Oracle VPN

Note: If your Sophos WAN is behind NAT,  You can use the "Local ID" to override the IP Address presented to the IKE identifier. 

Local Networks

  • Include any on-premises network

Note: The following needs to match the "Static route CIDR" values entered upon creating the IPsec connection on CLI.

Remote Networks

  • Any subnets within OCI that you desire to be reachable via tunnel

Click "Save" and then click the radio button to enable/activate the tunnel.

For Backup tunnel. the same configuration and set up will be needed. Create the backup IPsec connection on the Sophos Firewall and then proceed to the following steps: