IPSec VPNs are a powerful tool for protecting network traffic and allowing remote users to securely access your resources. The Sophos firewall can be configured to use IPSec VPNs with other firewalls, but how do you configure it when the Sophos device is behind another Sophos device?
The ipsec tunnel between sophos and palo alto is a configuration that allows IPSec VPN to be established between Sophos devices.
1.What is the article’s purpose?
Techbast will teach you how to set up an IPSec VPN Site to Site between a Sophos Firewall and a Palo Alto using a Sophos Firewall device behind another Sophos Firewall device in this post.
2.Diagram
Details:
Headquartered in:
- We will have an external and internal firewall model with two devices at the head office. The external firewall is Sophos Firewall 1, while the internal firewall is Sophos Firewall 2.
- With IP 192.168.2.111, the internet connection is linked to Port 2 of the Sophos Firewall 1 device.
- The Sophos Firewall 1 device’s LAN network is set at Port 1 with IP 10.145.41.1/24 and uses DHCP to provide IP addresses to devices connected to it.
- The WAN port on Sophos Firewall 2 will be Port 2, and it will be linked to Port 1 on Sophos Firewall 1. The static IP for Port 2 on Sophos Firewall 2 is 10,145.41.50/24.
- The LAN of the Sophos Firewall 2 is set at Port 1 with IP 10.146.41.1/24 and DHCP.
Location of the branch office:
- With IP 192.168.2.115, the internet connection is linked to Palo Alto firewall device ethernet port1/1.
- The LAN is set up with an IP address of 172.16.16.16/24 on the ethernet1/2 port, and DHCP is used to provide IP addresses to connected devices.
3.Scenario
We will establish an IPSec VPN Site to Site between the Sophos Firewall 2 device at the Head Office site and the Palo Alto Firewall 3 device at the Branch Office site, as shown in the diagram, so that both LANs of the two sites may interact with each other.
4.What should you do?
1st-generation Sophos Firewall:
- For the IPSec service, create a profile.
- Create a profile for the WAN IP of the Sophos Firewall 2.
- Implement Sophos Firewall 2’s NAT IP WAN with IPSec service to the internet.
Sophos Firewall 2 is a second-generation firewall by Sophos.
- Create subnet profiles for the local and remote networks.
- Set up an IPSec policy.
- Establish an IPSec connection.
- Create a policy that allows traffic to flow across the LAN and VPN zones.
- On the VPN zone, enable PING and HTTPS services.
Palo Alto Firewall (Palo Alto Firewall):
- Make a VPN zone.
- Construct an Address Object.
- Make a tunnel user interface.
- Make your own virtual routers.
- IKE Crypto should be created.
- Create an IPSec cryptographic system.
- IKE Gateways should be created.
- Make an IPSec tunnel.
- Make a policy.
Result.
5.Configuration.
Sophos Firewall (version 5.1) 1.
5.1.1.To IPSec service profile
The UDP 500 and UDP 4500 ports will be used for the IPSec VPN Site to Site connection.
For these two services, we’ll need to establish profiles.
Go to SYSTEM > Hosts and services > Services > Add to establish a new service.
Create a new document with the following parameters:
- IPSec S2S VPN is a kind of IPSec VPN.
- Select TCP/UDP from the Type drop-down menu.
- Select UDP as the protocol.
- 1:65535 is the source port.
- Port of arrival: 500
- To add a row, use the + icon.
- Select UDP as the protocol.
- 1:65535 is the source port.
- 4500 is the destination port.
- Save the file.
5.1.2.Create a profile for the WAN IP 2 of the Sophos Firewall.
To build an IP Host, go to SYSTEM > Hosts and Services > IP Host > Add.
Fill in the blanks with the following information:
- Sophos Firewall 2 is a product from Sophos.
- Select IPv4 as the IP version.
- Type*: choose an IP address.
- IP address*: Enter 10,145.41.50 as the WAN IP for Sophos Firewall 2.
- Save the file.
5.1.3.Connect the Sophos Firewall 2’s NAT IP WAN to the internet using IPSec.
We go to PROTECT > RULES AND POLICIES > NAT to get to NAT. Server access assistance [DNAT] > Add firewall rule
A setup window appears after clicking on Server access assistance [DNAT].
Pick IP host and select Sophos Firewall 2 – 10.145.41.50 from the drop-down list in the Internal server IP address field.
Next should be selected.
Check Choose public ip address or WAN interface under Public IP address, and then select #Port 2 – 192.168.2.111 from the drop-down list.
Next should be selected.
Select IPSec S2S VPN profile from the Add new item menu under Service.
Next should be selected.
Keep the Any option selected under External source networks or devices and click Next.
Finally, check the previously chosen choices and, if you’ve made the right choice, click Save and Finish to finish.
Sophos Firewall 2 (version 5.2)
Create profiles for the local and remote subnets in 5.2.1.
For the Local and Remote subnets, we will build profiles.
Go to SYSTEM > Hosts and Services > IP Host > Add to create one.
Create a profile with the following settings for the Local subnet:
- SF2 LAN is the name of the network.
- IPv4 is the most recent version of the Internet Protocol.
- Network type*
- 10.146.41.0 Subnet /24 IP address* [255.255.255.0]
- Save the file.
We’ll build a profile for the Remote subnet based on the following parameters, just as we did for the other subnets:
PA LAN is a pseudonym for PA LAN.
IPv4 is the most recent version of the Internet Protocol.
Network type*
172.16.16.0 Subnet /24 IP address* [255.255.255.0]
Save the file.
5.2.2.Develop an IPSec policy
We need to establish a common IPSec policy for both devices since this is an IPSec VPN connection between two distinct machines.
Go to CONFIGURE > VPN > IPSec policies > Add to establish IPSec policies.
Create an IPSec policy using the settings shown below.
Default settings:
- VPN S2S PaloAlto is the name of the VPN S2S PaloAlto.
- IKEv2 is the protocol for exchanging keys.
- Main method of authentication
- Re-key the connection by checking the box.
Phrase 1:
- The key has a life of 5400 hours.
- Margin for re-keying: 360.
- Increase the re-keying margin by 50 percent.
- DH group (important group): 2 (DH1024).
- AES256 encryption is used.
- SHA2 256 is used for authentication.
Phrase 2:
- None in the PFS (DH) group.
- 3600 days on the key.
- AES128 encryption is used.
- SHA2 256 is used for authentication.
Detecting Dead Peers:
- Detection of a Dead Peer: tick.
- After every 30 seconds, check with a peer.
- Wait up to 120 seconds for a response.
- Re-initiate if a peer is unavailable.
Save the file.
5.2.3. Establish an IPSec connection
To establish an IPSec connection, navigate to CONFIGURE > VPN > IPSec connections > Add.
In general, we use the following options to configure:
- VPN SOPHOS TO PA is the name of the VPN client.
- IPv4 is the most recent version of the Internet Protocol.
- Site-to-site connections are the most common.
- Type of gateway: Only responds.
- Uncheck the box that says “active on saving.”
- Uncheck the box to create a firewall rule.
We set the following parameters in Encryption:
- Choose VPN S2S PaloAlto from the drop-down menu for the policy.
- Select Preshared key as the authentication type.
- Preshared key: type Preshared key into the box.
- Preshared key is repeated: re-enter Preshared key.
The following parameters are configured in the Gateway settings:
Gateway on the local level:
- Select Port2 – 10.145.41.50 as the listening interface.
- Select the IP address as the kind of local ID.
- Enter 10.145.41.50 as the local ID.
- Local subnet: use the SF2 LAN profile.
Gateway to the Internet:
- 192.168.2.115 is the WAN IP address of the Palo Alto firewall.
- Select the IP address as the remote ID type.
- nhp 192.168.2.115 is the remote ID.
- Select the PA LAN profile for the remote subnet.
Save the file.
The IPSec connection will be established once you click Save, as seen below.
This connection, however, is still disabled; to activate it, click the circle symbol in the Active column and then click OK.
The circle symbol in the Active column will now become green, indicating that the connection has been switched on successfully.
5.2.4.Create a policy that allows traffic to flow between the LAN and VPN zones.
The firewall will block all traffic across zones by default.
As a result, we’ll need to establish a policy that allows traffic to flow across the LAN and VPN zones.
Go to PROTECT > Rules and policies > Create to get started. As illustrated below, add a firewall rule and build a policy.
Save the file.
5.2.5.On the VPN zone, enable PING and HTTPS services.
All services are turned off by default in the VPN zone.
Go to SYSTEM > Administration > Device Access to activate it.
At the VPN zone, choose two HTTPS and two Ping/Ping6 services.
Palo Alto Firewall (version 5.3)
5.3.1.Make a Zone
For VPN connections, we need to establish zones.
To create a zone, go to Network > Zones.
Click Add and fill out the form with the following information:
- VPN (Virtual Private Network)
- Layer3 is a type.
- Click the OK button.
To save the settings changes, click Commit and OK.
Create an Address Object in 5.3.2.
The Address Object will be created for the two LAN subnets of Palo Alto and Sophos devices.
To create a new address, go to Object > Addresses.
Click Add and fill in the blanks with the parameters shown below.
Palo Alto Local Area Network (LAN):
- Name: PA LAN
- 172.16.16.0/24 IP Netmask type
- Click the OK button.
LAN: Sophos Firewall 2
- SF2 LAN is the name of the network.
- IP Netmask – 10.146.41.0/24 is the kind of IP Netmask.
- Click the OK button.
Create an interface tunnel in 5.3.3.
Go to Network > Interface > Tunnel to get started.
Click Add and fill out the form with the following information:
- tunnel – 2 is the name of the interface.
- There is no virtual router.
- Zone of Security: VPN
- Click the OK button.
Create Virtual Routers (section 5.3.4)
To build Virtual Routers, go to Network > Virtual Routers > Add and set the details as follows.
Router Settings tab:
- VR1 is a name for a kind of vehicle.
- General tab: Select the ports ethernet1/2 (LAN port), ethernet1/1 (internet port), and tunnel.2 by clicking Add (the tunnel used to connect VPN).
IPv4: IPv4: IPv4: IPv4: IPv4: IPv4: IPv4
To add static routes, click Add and provide the following information:
- Route-1 is the name of the route.
- SF2 LAN is the destination.
- tunnel.2 is the interface.
- Click OK twice more.
To save the settings changes, click Commit and OK.
5.3.5.Create an IKE Cryptographic Key
For the VPN connection, we will construct IKE Crypto ie Phrase 1.
Go to Network > IKE Crypto to get started. Click Add and fill out the form with the following information:
- IKE Crypto Phrase1 is the name of a cryptophrase created by IKE.
- Group 2 of the DH
- aes-256-cbc encryption
- sha256 authentication
- Key Lifetime: 5400 Seconds
- Click OK
To save the settings changes, click Commit and OK.
5.3.6.Create an IPSec cryptographic key
Go to Network > IPSec Crypto and click Add to build IPSec Crypto.
Configure according to the settings shown below:
- IPSec Crypto Phrase2 is an IPSec Crypto Phrase2 is an IPSec Cry
- ESP is an IPSec protocol that encrypts data.
- aes-128-cbc encryption
- sha256 authentication
- no-pfs DH Group
- 3600 seconds = 3600 seconds = 3600 seconds = 3600 seconds = 3600 seconds = 3600 seconds = 3
- Click the OK button.
To save the settings changes, click Commit and OK.
Create IKE Gateways (section 5.3.7)
Click Add under Network > IKE Gateways to build it.
Configure according to the settings shown below.
General: Bng
- IKE Gateway is a placeholder for IKE Gateway, which means “IKE
- IKEv2 is the only mode available.
- IPv4 is the most used kind of address.
- ethernet1/1 (the WAN port in Palo Alto)
- IP Address on the Local Network: None
- 192.168.2.111 is the WAN IP address of Sophos Firewall 1.
- Pre-shared Key Authentication
- Pre-shared key: input the password for the connection (this password must be the same as the one set on Sophos)
- Re-enter the connection password to confirm the pre-shared key.
- Select IP address and type 192.168.2.115 into the box.
- Select IP address for peer identification – Enter the WAN IP of Sophos Firewall 2 as 10.145.41.50.
Advanced Options for Bng:
- Select IKE Crypto Phrase1 from the IKE Crypto Profile drop-down menu.
- Click the OK button.
To save the settings changes, click Commit and OK.
Create IPSec Tunnels (section 5.3.8)
We’ll now begin setting up a VPN connection using the Sophos Firewall.
Click Add under Network > IPSec Tunnels to get started.
Fill up the blanks with the following information.
General tab:
- VPN PA TO SOPHOS is the name of a VPN client that connects to a Sophos server.
- tunnel.2 is the tunnel interface.
- Auto Key is a kind.
- IPv4 is the most used kind of address.
- Gateways for IKE: IKE Gateway
- IPSec Crypto Profile: IPSec Crypto Phrase2 IPSec Crypto Phrase2 IPSec Crypto Phrase2
Proxy IDs (tab):
Click Add and fill up the following details:
- Peer-1 is the proxy ID.
- 172.16.16.0/24 (Local)
- 10.146.41.0/24 (remote)
- Any protocol
- Click OK twice more.
To save the settings changes, click Commit and OK.
5.3.9.Develop a policy
We’ll need to create a policy that enables traffic from Palo Alto’s LAN subnet to go through the Sophos Firewall’s LAN subnet and vice versa.
Go to Policies > Security and click Add to establish a policy.
Create a policy using the following information that enables traffic from Palo Alto’s LAN subnet to flow through the Sophos Firewall’s LAN subnet:
General tab:
- LAN TO VPN is a network-to-virtual-private-network (VPN
- Universal Rule Type (default)
Source of Tab:
- Click Add and choose Trust-Layer3 as the source zone. (This is the LAN layer’s zone.)
- Click Add and choose PA LAN (the Address Object we established previously) as the source address.
Destination tab:
- VPN is the destination zone.
- SF2-LAN is the destination address (this is the Address Object created initially)
Action on the tab:
- Select Allow as your action.
- Click the OK button.
Then, using the Add button, we’ll establish a policy that permits traffic to flow from Sophos Firewall’s LAN subnet to Palo Alto’s LAN subnet, using the following information:
General tab:
- VPN TO LAN is an acronym for Virtual Private Network to Local Area Network.
- Universal Rule Type (default)
Source of Tab:
- Press Add and choose VPN as the source zone.
- Source Address: Select SF2 LAN from the Add menu (SF2 LAN is the Address Object we created previously).
Destination tab:
- Trust-Layer3 is the destination zone (Zone of the LAN layer)
- PA-LAN is the destination address (this is the Address Object created at the beginning)
Action on the tab:
- Select Allow as your action.
- Click the OK button.
5.4.Result.
Following the creation of the IPSec tunnels connection on the Palo Alto device, the connection will be listed as shown below.
We see that the network port indicator is green in the Status column, indicating that this IPSec connection has been enabled.
Go to Sophos Firewall > CONFIGURE > VPN > IPSec connections to enable an IPSec connection between two machines.
The circle symbol in the Connection column of the IPSec VPN connection we made earlier is red, indicating that the connection to the Palo Alto firewall device has not been established.
To turn it on, left-click the circle symbol in the Connection column and choose Yes from the drop-down menu.
This circle symbol will become green, indicating that the IPSec VPN connection between the two machines has been successfully established.
Two circular icons will appear in the two Status columns on the Palo Alto firewall device, both of which will become green.
Techbast will utilize one computer at each site to ping each other to verify the outcomes of the communication between the two LAN levels of each site.
Techbast has set up a server with the IP 10.146.41.10/24 at the Head Office and a Windows 10 workstation with the IP 172.16.16.50/24 at the Branch Office.
Ping result to Windows 10 system from IP server 10.146.41.10/24.
The ping was successful.
The server received a ping from a Windows 10 computer with the IP 172.16.16.50.
The ping was successful.
YOU MIGHT ALSO BE INTERESTED IN
The ipsec failover sophos xg is a command-line tool that allows users to configure IPSec VPN between Sophos and Palo Alto when the Sophos device is behind another Sophos device.
Related Tags
- sophos xg ipsec vpn troubleshooting
- palo alto ipsec tunnel troubleshooting
- sophos utm palo alto vpn
- sophos utm site-to site vpn
- sophos utm vpn ipsec
