Thank you for choosing Sophos (XG) Firewall, we have assembled a variety of resources here to help you to make the most of your Sophos (XG) Firewall. Establish IPsec VPN Connection between Sophos and Fortigate with IKEv2. Firewall Rule to restrict access from Endpoints with Yellow-Red Heartbeat. Synchronized Security in Bridge Mode. Establish IPsec VPN Connection between Sophos XG and Palo Alto Firewall PGAHM Page 10 of 15 Sophos XG Firewall Create IPsec VPN Policy for Phase 1 and Phase 2. Go to Configure VPN IPsec Profiles and click Add. Set Key exchange to IKEv2.
Overview
This guide describes how to set up a site-to-site IPsec VPN connection between Sophos XG Firewall and Palo Alto Firewall using DDNS.
Requirement
You need to register a DDNS account. In this article I register the DDNS account of the No-IP provider with the hostnames is vacifcoltd.ddns.net for the Palo alto site.
1.Network Diagram
2.How to configure
Sophos Firewall
Go to VPN > IPSec Policies > Add.
Enter Name.
• Set Key exchange to IKEv2 and Authentication Mode to Main Mode.
• Set Key Negotiation Tries to 0.
• Select Allow Re-keying.
• Under Phase 1, set Key Life to 28800, Re-key Margin to 360 and Randomize Re-KeyingMargin by to 50.
• Set DH Group (Key Group) to 2 (DH1024).
• Set Encryption to AES256 and Authentication to SHA2 512.
Under Phase 2, set PFS Group (DH Group) to None, and Key Life to 3600.
• Set Encryption to AES256 and Authentication to SHA2 512.
• Under Dead Peer Detection, set Check Peer After Every to 30 seconds and Wait for Response Up to as 120 seconds.
• Set When Peer Unreachable to Re-initiate.
Click Save
Configure IPsec Connection
Go to Configure > VPN > IPsec Connections and click Add.
• Under General Settings, enter Name.
• For IP Version, select IPv4.
• Set Connection Type to Site-to-Site and Gateway Type to Initiate the Connection.
Select Create Firewall rule to automatic create rule to allow VPN traffic.
• Under Encryption, set Policy to Sophos, which you have created.
• Set Authentication Type to Preshared Key. Enter and repeat Presharedkey.
• Under Local Subnet, add LAN_SPXG.
• Under Remote Gateway, set Gateway Address to vacifcoltd.ddns.net.
• Under Remote Subnet, add LAN_SPH.
Click Save.
Palo alto Firewall
Go to Network Profiles > IKE Crypto > enter name PA_P1.
• In IKE Crypto Profile, add group2 to DH Group, aes-256-cbc to Encryption and sha512 to Authentication.
• Enter Seconds in Key Lifetime and 28800 as Lifetime.
• Set IKEv2 Authentication Multiple to 0
Click Ok
Go to Network > IPsec Crypto and create a profile.
• Enter Name.
• Set IPSec Protocol to ESP, and DH Group to no-pfs.
• Add aes-256-cbc to Encryption.
• Add sha512 to Authentication.
• Set Lifetime to seconds and enter 3600
Click Ok
Go to Device tab > Certificate Management > Certificates > Generate.
- Certificate Type: choose Local
- Enter Certificate Name
- Common Name: enter vacifcoltd.ddns.net
- Click choose Certificate Authority
- Choose Algorithm, Number of bits, Digest.
- Certificate Attributes:
- Click Add, choose Host Name and enter vacifcoltd.ddns.net
- Click Generate.
To add PA_P1 profile to IKE gateway:
• Go to Network > IKE Gateway > General and create a new gateway.
• Enter Name.
• Set Version to IKEv2 only mode.
• Set Address Type to IPv4.
• Set Interface to ethernet1/1, and Local IP Address to None.
• Set Peer IP Type to Static.
• For Peer IP Address, enter 115.100.230.50.
• Set Authentication to Pre-Shared Key and enter Pre-Shared Key
Set Local Identification: Choose FQDN (hostname) and enter vacifcoltd.ddns.net
Click OK.
Go to Network > IKE Gateway > Advanced Options.
• Under Common Options, select Enable Passive Mode, since Palo Alto will act as the responder for the IPsec connection.
• Under IKEv2 set IKE Crypto Profile to PA_P1, which you have created.
• Select Dead Peer Detection. Set Interval to 5.
Click OK.
Create Tunnel Interface
• Go to Network > Interface >Tunnel and click Add.
• Enter Interface Name.
• Select existing Virtual Router.
• For Security Zone, select layer 3 internal zone from which traffic will originate.
Click OK.
Go to Interfaces > Ethernet > Ethernet 1/1 > Advanced > DDNS.
Click choose Settings and Enable
Hostname: vacifcoltd.ddns.net
Vendor: choose No-IP
Username và Password: Enter username and password you use to register DDNS account of No-ip vendor.
Certificate Profiles: choose New Certificate Profiles
Enter Name as VPN_Cer > click Add > CA Certificate choose CA_VPN. Click Ok.
Go to IPSec Tunnel > click Add.
Name: Enter name.
Tunel Interface: Choose tunnel.
IKE Gateway: choose PA, which you have created.
IPSec Crypto Profiles: Choose PA_P2.
Click Ok.
To enable VPN connection: choose tunelpa, click Enable and click Yes.
Configure Firewall Rule to allow VPN traffic.
Create Local Subnet và Remote Subnet.
Go to Object > Address. Click Add.
Create Local Subnet:
Create Remote Subnet:
Goto Policies > Security > Add.
LAN-VPN: Source (choose Local) – Destination (choose Remote)
VPN-LAN:Source (choose Remote) – Destination (choose Local)
Action: Allow.
Note: You must click Commit to save and excute all configure.
On Sophos XG
Go to Configure > VPN > IPsec Connections.
• Under Status, click Active and Connection to activate and establish connection.
Sophos Xg Ikev2 Update
Result
Establish success IPSec VPN Site to site between Sophos XG and Palo alto firewall using DDNS.
Sophos Utm Ikev2
YOU MAY ALSO INTEREST
Main mode Executes the Diffie–Hellman key exchange in three two-way exchanges.
Aggressive mode Executes the Diffie–Hellman key exchange in three messages. A tunnel can be established faster as fewer messages are exchanged during authentication and no cryptographic algorithm is used to encrypt the authentication information. Use this option when the remote peer has dynamic IP addresses.
Sophos Xg Ikev2 Software