Guide
TrainingSupportCommunity

Create IPsec tunnels in Sophos Firewall

Suggest Edits

Complete these high-level steps to create IPsec tunnels between Sophos Firewall and ​SIA​.

This process was tested on these hardware and software versions of Sophos Firewall:

Hardware

  • Sophos Firewall XGS and XG series hardware
  • Sophos Firewall virtual appliance on VMware

Software

  • SFOS Version 19.0 MR2 Build 472
  • SFOS Version 19.5 MR2 Build 624

Before you begin:

Prepare for SD-WAN setup. Make sure you create the IPsec credentials. The IKE identifier and the pre-shared key that you provide in ​SIA​ are required for this setup.

To create IPsec tunnels in Sophos Firewall:

  1. In Sophos Firewall, create a route-based VPN. For instructions, see Create a route-based VPN.
  2. Assign a static IP address to the XFRM interface. For instructions, see Assign an IP address to the XFRM interface.
  3. Create a firewall rule. For instructions, see Add a firewall rule.
  4. Configure routing to configure how Sophos firewall forwards traffic. For instructions, see Configure routing.
  5. Verify that tunnels are active and communicating. For instructions, see Verify tunnel status.

Create a route-based VPN

Complete this procedure to create a VPN tunnel between ​SIA​ and Sophos Firewall. For more information on these steps, see Create a route-based VPN in the Sophos Firewall Documentation.

To create a route-based VPN:

  1. Log in to the Sophos Firewall web admin console or your administrative interface.
  2. In the navigation menu, under the Configure section, click Site-to-site VPN.
  3. Click Add.
  4. In the IPsec tab, configure the general settings:
    1. Enter a descriptive name.
    2. For the Connection type, select Tunnel interface.
    3. For the Gateway type, select Initiate the connection.
  5. Configure the encryption settings:
    1. For the Profile, select IKEv2.
    2. For the Authentication type menu, select Preshared key.
    3. In the Preshared key field, enter the preshared key that you generated and provided in ​SIA​. For more information, see Prepare for SD-WAN setup.
    4. In the Repeat preshared key field, enter the preshared key again.
  6. Configure the gateway settings. In the Gateway Address field of the Remote Gateway section, enter the address for the primary IPsec tunnel: primary.ipsec.akaetp.net.
  7. Configure the Local ID:
    1. In the Local ID type menu, select Email.
    2. In the Local ID, enter the IKE identifier that you configured in ​SIA​. For more information, see Prepare for SD-WAN setup.
  8. Click Save.
  9. Repeat steps 2-8 for the secondary tunnel. Make sure you use secondary.ipsec.akaetp.net as the gateway address.

Next Steps

  1. Confirm that your tunnels appear with an Active status.
  2. Assign an address to the XFRM interface

Assign an IP address to the XFRM interface

Complete this procedure to assign an address to the XFRM interface. The XFRM interface is a virtual tunnel interface that Sophos Firewall creates when you set up a route-based VPN connection.

To assign an address to the XFRM interface:

  1. In the navigation menu, under the Configure section, click Network.
  2. Under Interfaces, select the interface for the primary IPsec tunnel.
  3. Edit the interface and assign a static IP address.
  4. Repeat steps 2 and 3 for the interface of the secondary IPsec tunnel.

Next Steps

Add a firewall rule

Add a firewall rule

Complete this procedure to create a firewall rule. For detailed instructions, see Add a firewall rule in the Sophos Firewall documentation.

To add a firewall rule:

  1. In the navigation menu, under Protect, click Rules and policies.
  2. Click Add firewall rule, and create a firewall rule that allows traffic to flow from Sophos to ​SIA​. Make sure you create a firewall rule that meets the requirements and security policies of your organization.

Next Steps:

Configure routing

Configure routing

Complete this procedure to define how Sophos Firewall forwards traffic. You can configure an SD-WAN route and/or a static route. If you configure both routes, the fallback route that's used depends on the route precedence you set in Sophos Firewall. For more information on routing, see Routing in the Sophos Firewall documentation.

To configure routing:

  1. In the navigation menu, under Configure, click Routing.

  2. To create a static route:

    1. Click the Static routes tab.
    2. Create a routing rule for the XFRM tunnel interfaces. For instructions, see Add a unicast route in the Sophos Firewall documentation.

  3. To create an SD-WAN route:

    1. Do one of the following:

      • Add a custom primary and backup gateway for each tunnel interface. Click the Gateways tab. For instructions on creating a gateway, see Add a gateway in the Sophos Firewall documentation.
      • Create an SD-WAN SLA profile. For more information, see SD-WAN profiles and Add an SD-WAN profile in the Sophos Firewall documentation.

    2. Click the SD-WAN routes tab, and complete these steps:

      1. Enter a descriptive name for your connection.
      2. Add the networks and services that have traffic you want redirected to ​SIA​ Proxy.
      3. Based on the configuration of step 3a, do one of the following in the Link selection settings:
        • Select Primary and Backup gateways. In the provided menus, select the primary and backup gateways you created.
        • Select Select SD-WAN profile. In the provided menu, select the SD-WAN profile that you created.
      4. Click Save.
        For detailed instructions on creating an SD-WAN route, see Add an SD-WAN route in the Sophos Firewall documentation.

Next Steps:

Verify tunnel status

Verify tunnel status

Complete this procedure to verify that the tunnels between Sophos Firewall and ​SIA​ are communicating and active.

To verify tunnel status:

  1. In the Threat Protection menu of Enterprise Center, select Reports > IPsec Tunnel Activity. Verify that the Status is green for the tunnel.
  2. In Sophos Firewall:
    1. Verify the status of IPsec connections. In Sophos Firewall, select VPN > IPsec connections. Confirm that the primary and secondary tunnel interfaces are active and connected.
    2. Confirm that the XFRM interfaces show a Connected status.
  3. If a tunnel is not connected, do the following:
    1. Review the site-to-site VPN configuration.
    2. Review the routing configuration and route precedence.
    3. Confirm that the firewall rules have the correct zones, hosts, and services configured.
    4. Confirm that packets are traveling through the tunnels. You can run tcpdump to view this information.

Updated over 1 year ago