Here in this article we will discuss how to configure IPSEC VPN site to site connection in sophos XG firewall. Using Site to Site VPN connection we can establish secure VPN tunnel between two private networks over internet. To establish VPN connection you need to configure IPSEC connection parameters in two firewalls.
Configure IPSEC Connection:
Click on VPN and click on IPSEC connections. Click on ADD VPN connection as shown below
Fill up the following details as mentioned below:
Name: Enter Name, it should contain either small letters or capital letters or numbers or “_”. We are not supposed to enter any other special character.
IP version: In place of IP version, you can select IPV4 or IPV6 or dual.
Activate On Save: If you enable this option, IPSEC connection will be activated once it saved.
Create Firewall Rule: If we enable this option, firewall rules will be automatically applied for IPSEC VPN connection.
Connection type can be either “site to site” or “host to host” or “Tunnel Interface“
Site to Site: Site to Site VPN connection can be established be secure tunnel between two private networks over internet. This is also called policy based VPN. We will define both local and remote networks in the IPSEC policy.
Host to Host: If we select this option, VPN tunnel will be established between two end points instead of two networks.
Tunnel Interface: If we select this option, we can configure route based VPN. Unlike policy based VPN we will not define local and remote networks in the IPSEC policy. Tunnel interface will be automatically created and we need to route traffic through that Interface.
Note: Here in this article i will mainly focus on configuring policy based VPN.
We have two options one is “initiate the connection” and “respond only“. One end of the tunnel should be configured as respond only and other end of the tunnel should be initiate the connection.
Initiate The Connection: If we enable this option, firewall will act as intiator.
Respond Only: If we enable this firewall will act as responder.
Note: In case if one firewall have dynamic IP address, we should configure that specific firewall as initiator.
Policy: You can select IPSEC policy based on your requirements. We can identify all listed IPSEC policies under “VPN >> IPSEC Policies“
Note: For ease of setup, if gateway configured as “respond only” select “Default Branch Office“. If gateway configured as “initiate the connection” select “Default head office policy“.
Authentication Type: We can select authentication type as preshared key or certificates or RSA key
Note: Here in this article we will set up authentication as preshared key.
Listening Interface: Select the WAN interface of firewall on which IPSEC connection is being established
Local ID: Select ID for VPN connections. In case if there are multiple VPN connections on the firewall, this ID will be useful to differentiate the VPN connections.
Local Subnet: Enter local network in IPSEC VPN connection. Only the network mentioned in local network can be accessible through IPSEC VPN connection.
Gateway Address: Enter the static IP address of the remote gateway. In case if you type “*” connection will be accepted from any gateway.
Remote ID: Enter ID for the VPN connection. Make sure the ID values should be same on both end of the gateway.
Remote Subnet: Select remote network, you will be able to access this remote network through IPSEC VPN tunnel.
Now click on save.
You need to configure IPSEC connection in other end of the VPN tunnel.
If gateway is set to initiate the connection, remote gateway address must be entered.
If one gateway type is respond only other end must be initiate the connection.
Local ID in one gateway must match with remote ID at the other end.
Remote ID in one gateway must match local ID in the other end of the tunnel.
Local subnet in one gateway must match with remote subnet at the other end.
Remote subnet in one gateway must match local subnet in the other end of the tunnel.
Click on save in the branch office firewall.
Once you click on save tunnel will be created like shown below:
Here status is showing as active since we enabled “active on save” option.
Since we have given initiate the connection, we need to click on red option below to connection
Click on OK to initiate the connection.
Note: If you select this gateway as respond only, connection should be manually initiated from the other end of the tunnel.
Tunnel will be established.
Hope this article helps you.