Sophos XG Firewall: Establish IPsec connection between Sophos XG Firewall and SonicWall

Disclaimer: This information is provided as-is without any guarantees. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article describes how to configure a site-to-site IPsec VPN tunnel between the Sophos XG Firewall and SonicWall firewall, using a pre-shared key to authenticate VPN peers.

Applies to the following Sophos products and versions
Sophos Firewall

Prerequisites

You must have read-write permissions on the SFOS Admin Console and SonicWall Web Admin Console for the relevant features.

Network diagram

Configuration

Sophos XG Firewall

Add local and remote LAN

  1. Go to System > Hosts and services > IP host and click Add to create the local LAN.
  2. Enter Name.
  3. Set IP version to IPv4 and Type to Network.
  4. For IP address, enter 172.16.16.0.
  5. Click Save.



  6. Similarly, create a remote LAN.

Create an IPsec VPN connection

  1. Go to Configure > VPN > IPsec policies and click Add.
  2. Enter Name.
  3. Set Key exchange to IKEv2 and Authentication mode to Main mode.
  4. For Key negotiation tries, enter 0.
  5. Select Re-key connection.

  6. Under Phase 1, set Key life to 28800, Re-key margin to 360, Randomize re-keying margin by to 100 and DH group (key group) to 14 (DH2048).
  7. Set Encryption to 3DES and Authentication to MD5.

  8. Under Phase 2, set PFS group (DH group) to Same as phase-I, and Key life to 28800.
  9. Set Encryption and Authentication to the same parameters set in Phase 1.
  10. Select Dead Peer Detection.
  11. Set Check peer after every to 30 seconds, Wait for response up to to 120 seconds and When peer unreachable to Re-initiate.
  12. Click Save.

Create IPsec connection

  1. Go to Configure > VPN > IPsec connections and click Add.
  2. Enter Name.
  3. Set IP version to IPv4.
  4. Set Connection type to Site-to-site and Gateway type to Initiate the connection.
  5. Select Activate on save and Create firewall rule.
  6. Under Encryption, set Policy to XG IPsec Policy (which you have created).
  7. Set Authentication type to Preshared key. Enter and repeat the Preshared key.



  8. Under Gateway settings > Local gateway, set Listening interface to PortB – 10.198.67.43 and Local subnet to XG_LAN.
  9. Under Remote gateway, set Gateway address to 10.198.66.84 and Remote subnet to Sonicwall_LAN.
  10. Under Advanced, set User authentication mode to None.
  11. Click Save.



  12. The IPsec connection is automatically activated and an automatic firewall rule is also created.

SonicWall

Create Address Object

Go to Network > Address Objects and click ADD.

Local network

  1. Enter Name.
  2. Set Zone Assignment to VPN and Type to Network.
  3. For Network, enter 10.198.62.0 and for Netmask/Prefix Length, enter 255.255.254.0.

Remote network (to be connected through the VPN tunnel)

  1. Enter Name.
  2. Set Zone Assignment to VPN and Type to Network.
  3. For Network, enter 172.16.16.0 and for Netmask/Prefix Length, enter 255.255.255.0.

Enable VPN

  1. Go to VPN > Settings.
  2. Under VPN Global Settings, select Enable VPN.
  3. Enter Unique Firewall Identifier (available at System > Administration > Firewall Name).

Create VPN policies

  1. Go to VPN > Settings > VPN Policies and click Add.
  2. In General menu, under Security Policy, set Policy Type to Site to Site.
  3. Set Authentication Method to IKE using Preshared Secret.
  4. Enter Name.
  5. For IPsec Primary Gateway Name or Address, enter 10.198.67.43.
  6. For IPsec Secondary Gateway Name or Address, enter 0.0.0.0.
  7. Under IKE Authentication, enter Shared Secret and confirm.
  8. Set Local IKE ID and Peer IKE ID to IPv4 Address.



  9. Click Network menu. Under Local Networks, select Choose local network from list and set it to Sonicwall_LAN.
  10. Under Remote Networks, select Choose destination network from list and set it to XG_LAN.



  11. In Proposals menu, under IKE (Phase 1) Proposal, set Exchange to IKEv2 Mode.
  12. Set DH Group to Group 14.
  13. In Proposals menu, under Ipsec (Phase 2) Proposal, set Protocol to ESP.

    For IKE (Phase 1) Proposal and Ipsec (Phase 2) Proposal

    1. Set Encryption to 3DES, and Authentication to MD5.
    2. For Life Time (seconds), enter 28800.



    3. Click Advanced menu. Under Advanced Settings, select Enable Windows Networking (NetBIOS) Broadcast.
    4. Set WXA Group to None.
    5. For Default LAN Gateway (optional), enter 0.0.0.0.
    6. Set VPN Policy bound to to Zone WAN.

Activate the connection

XG Firewall

  1. Go to Configure > VPN > IPsec connections.
  2. Under Status, click the red button under Connection to establish the connection.

SonicWall

  1. Go to VPN > Settings > VPN Policies.
  2. Select the connection and click Add. It will now appear under Currently Active VPN Tunnels.

Run a ping test from the XG Firewall to the SonicWall to check the connection.



removed test
[edited by: DominicRemigio at 5:04 AM (GMT -8) on 1 Mar 2021]