Table of Contents
1 | Port 500, 4500 Open by ISP | |
2 | Traffic arriving on Port 500, 4500 | |
3 | Matching Connection Type | |
4 | Gateway Type | |
5 | Matching Key Exchange | |
6a | IPsec Profile Matching | |
7 | Phase 1 Matching Settings | |
7a | Key Life | |
7b | Re-Key Margin | |
7c | DH Group | |
7d | Encryption | |
7e | Authentication | |
8 | Phase 2 Matching Settings | |
8a | PFS Group (DH Group) | |
8b | Key Life | |
8c | Encryption | |
8d | Authentication | |
9 | Encryption Profile must match | |
10 | Authentication Type (RSA Key Recommended between Sophos Firewall) |
|
11 | Listening Interface (WAN Interface only) | |
12 | Gateway Address |
Port 500, 4500 Open by ISP
For IPsec to connect, port 500 has to be open by the ISP, please confirm with your ISP that port 500 is open, if you have an upstream device (Sophos Firewall doesn't have a Public IP on the WAN interface) make sure Port 4500 is open by your ISP and that the upstream device is passing down the Port 4500
Traffic arriving on Port 500, 4500
To confirm Port 500 is open, the simplest way is to do a TCPdump on the Firewall.
Access the initiator and Responder and confirm the Public IP and port of the WAN interface that would be used for the IPsec; then on the Responder's Firewall, enter the following string from the advanced shell
Responder's Firewall (substitute the IP as need it)
# tcpdump -eni Port4 host 66.183.140.13 and port 500
We enter for host the Public IP of the Initiator's Firewall because we want to see if traffic arrives on Port 500
In the Initiator's Firewall, enter the Advanced shell and enter the following:
# telnet 207.102.231.209 500
If Port 500 is open on the Responder's Firewall, you will see this traffic:
XGS116_XN01_SFOS 20.0.0 GA-Build222# tcpdump -eni Port4 host 66.183.140.13 and port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on Port4, link-type EN10MB (Ethernet), capture size 262144 bytes
14:34:46.713763 Port4, IN: 68:ab:09:47:01:8b > 7c:5a:1c:96:07:25, ethertype I Pv4 (0x0800), length 66: 66.183.140.13.34646 > 207.102.231.209.500: Flags [S] , seq 3654474738, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
If the Responder's Firewall is behind a 3rd Party device or doesn't have a Public IP, also make sure Port 500 and Port 4500 are being passed down to the Responder's Firewall; you can run the same test as above
To test, the Initiator also has open Port 500; you can run the same command.
Matching Connection Type and IP Version
Access the Sophos Firewall and go to Configure > site-to-site VPN > IPsec > Yourtunnelname:
Make sure that IP version matches both ends
Make sure that the Connection Type matches both ends
Gateway Type
Access the Sophos Firewall and go to Configure > site-to-site VPN > IPsec > Yourtunnelname:
Make sure the Gateway Type is set accordingly; one Firewall should be the Initiator and the other one the Responder
DO NOT set both Gateways Type with the same value, as this will cause the tunnel to go down during rekey.
Note: If you have Branch Firewalls, we recommend using your more beefy firewall (usually your HeadQuarters Firewall) as the responder
IPsec Profile Matching
Matching Key Exchange
For the IPsec Profile you built, make sure the Key Exchange matches on both ends
If they don't match the tunnel will not come up, and you will see the following error:
[IKE] <XG_TO_XG-1|4177> IKE_SA NO_PROPOSAL_CHOSEN set_condition COND_START_OVER
Key Life
Enter the time in Seconds.
To prevent key exchange collisions, follow these guidelines:
Set the initiator's key life lower than the responder's.
Set the phase 2 key life lower than the phase 1 value in both firewalls.
For example, see the values in the default profiles Branch office (IKEv2) for the initiator and Head office (IKEv2) for the responder.
Re-Key Margin
Sophos Firewall supports only time-based rekeying. To configure an IPsec connection between Sophos Firewall and a third-party firewall, select time-based rekeying on the third-party firewall.
The re-key margin specifies how much time should remain on the current encryption keys before the firewall initiates the re-keying process.
This value should always be lower than the Key Life