Table of Contents
1 | Port 500, 4500 Open by ISP | |
2 | Traffic arriving on Port 500, 4500 | |
3 | Matching Connection Type | |
4 | Gateway Type | |
5 | Matching Key Exchange | |
6a | IPsec Profile Matching | |
7 | Phase 1 Matching Settings | |
7a | Key Life | |
7b | Re-Key Margin | |
7c | DH Group | |
7d | Encryption | |
7e | Authentication | |
8 | Phase 2 Matching Settings | |
8a | PFS Group (DH Group) | |
8b | Key Life | |
8c | Encryption | |
8d | Authentication | |
9 | Encryption Profile must match | |
10 | Authentication Type (RSA Key Recommended between Sophos Firewall) |
|
11 | Listening Interface (WAN Interface only) | |
12 | Gateway Address |
Port 500, 4500 Open by ISP
For IPsec to connect, port 500 has to be open by the ISP, please confirm with your ISP that port 500 is open, if you have an upstream device (Sophos Firewall doesn't have a Public IP on the WAN interface) make sure Port 4500 is open by your ISP and that the upstream device is passing down the Port 4500
Traffic arriving on Port 500, 4500
To confirm Port 500 is open, the simplest way is to do a TCPdump on the Firewall.
Access the initiator and Responder and confirm the Public IP and port of the WAN interface that would be used for the IPsec; then on the Responder's Firewall, enter the following string from the advanced shell
Responder's Firewall (substitute the IP as need it)
# tcpdump -eni Port4 host 66.183.140.13 and port 500
We enter for host the Public IP of the Initiator's Firewall because we want to see if traffic arrives on Port 500
In the Initiator's Firewall, enter the Advanced shell and enter the following:
# telnet 207.102.231.209 500
If Port 500 is open on the Responder's Firewall, you will see this traffic:
XGS116_XN01_SFOS 20.0.0 GA-Build222# tcpdump -eni Port4 host 66.183.140.13 and port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Port4, link-type EN10MB (Ethernet), capture size 262144 bytes
14:34:46.713763 Port4, IN: 68:ab:09:47:01:8b > 7c:5a:1c:96:07:25, ethertype I Pv4 (0x0800), length 66: 66.183.140.13.34646 > 207.102.231.209.500: Flags [S] , seq 3654474738, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
If the Responder's Firewall is behind a 3rd Party device or doesn't have a Public IP, also make sure Port 500 and Port 4500 are being passed down to the Responder's Firewall; you can run the same test as above
To test, the Initiator also has open Port 500; you can run the same command.