How to configure Site-to-Site IPsec VPN between SonicWall and Sophos Firewall

01/11/2023 57 People found this article helpful 321,123 Views

Description

When configuring a Site-to-Site IPsec VPN tunnel in SonicOS Enhanced firmware using Main Mode both the SonicWall appliances and Sophos firewall (Site A and Site B) must have a Static WAN IP address.

Network Setup

Site A	Site B
SonicWall	Sophos
WAN IP: 10.198.66.84 LAN Subnet: 10.168.62.0/23	WAN IP: 10.198.67.43 LAN Subnet: 172.16.16.0/24

Network diagram

Resolution

Sophos XG Firewall

Add Local LAN.

Go to system>Hosts and services>IP host and click Add to create the local LAN.
Enter Name
For IP version to IPv4 and Type to Network
For IP address, enter 172.16.18.0
Click Save
Similarly, create a remote LAN

Create an IPsec VPN connection

Go to Configure>VPN>IPsec policies and click Add.
Enter Name.
Set Key exchange to IKEv2 and Authentication mode to Main mode.
For Key negotiation tries, enter 0.
Select Re-key connection.
Under Phase 1, set key life to 28800, Re-key margin to 360, Randomize re-keying margin by to 100 and DH group (key group) to 14(DH2048)
Set Encryption to 3DES and Authentication to MD5.
Under Phase 2, set PFS group (DH group) to same as phase-1, and Key life 28800.
Set Encryption and Authentication to the same parameters set in Phase 1.
Select Dead peer Detection.
Set check peer after every to 30 seconds, wait for response up to 120 seconds and when peer unreachable to Re-initiate.
Click save.

Create IPsec connection

Go to configure>VPN>IPsec connections and click Add.
Enter Name.
Set IP version to IPv4.
Set connection type to site-to-site and Gateway type to initiate the connection.
Select Activate on save and create firewall rule.
Under Encryption, set policy to XG IPsec Policy (which you have created).
Set Authentication type to Preshared key. Enter and repeat the Preshared key.
Under Gateway settings>Local gateway, set Listening interface to PortB – 10.198.67.43 and Local subnet to XG_LAN.
Under Remote gateway, set Gateway address to 10.198.66.84 and Remote subnet to Sonicwall_LAN.
Under Advanced, set User authentication mode to None.
Click Save.
The IPsec connection is automatically activated and an automatic firewall rule is also created.

Sonicwall configuration

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Create address object for Local network.

Navigate to Object | Match object | Addresses and click add

Enter a Name
Set Zone Assignment to LAN and Type to Network.
For Network, enter 10.198.62.0 and for Netmask/Prefix Length, enter 255.255.254.0.

Create address object for remote network.

Navigate to Object | Match object | Adresses and click add

Enter a Name
Set Zone Assignment to VPN and Type to Network.
For Network, enter 172.16.16.0 and for Netmask/Prefix Length, enter 255.255.255.0.

Enable VPN.

Click Network in the top navigation menu.
Navigate to IPSec VPN | Rules and Settings, click settings.
Select Enable VPN.
Navigate to Device | Settings | Administraion | Firewall Name and enter a value in Unique Firewall Identifier.

Configure VPN policy.

Click Network in the top navigation menu.
Navigate to IPSec VPN | Rules and Settings,click Add. The VPN policy window is displayed.
In the General menu, under Security Policy, set Policy Type to Site to Site.
Set Authentication Method to IKE using Preshared Secret.
Enter Name.
For IPsec Primary Gateway Name or Address, enter 10.198.67.43.
For IPsec Secondary Gateway Name or Address, enter 0.0.0.0.
Under IKE Authentication, enter Shared Secret and confirm.
Set Local IKE ID and Peer IKE ID to IPv4 Address.

10. Click the Network menu.

11. Under Local Networks, select Choose local network from list and set it to Sonicwall_LAN.

12. Under Remote Networks, select Choose destination network from list and set it to XG_LAN.

Configure the proposals tab.

Exchange: IKEv2 Mode
DH Group: Group 14
Encryption: 3DES
Authentication: MD5

5. Select Enable windows networking(NetBIOS) Broadcast in Advanced | Advanced settings.

6. Set VPN Policy bound to Zone WAN

7. Click OK to save the configuration.

Activate the connection

XG Firewall

Navigate to Configure | VPN | IPsec connections.
Under Status, click the red button under Connection to establish the connection.

Run a ping test from the XG Firewall to the SonicWall and vice versa to check the connection.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Create address object for Local network.

Navigate to Manage| Object | Address objects and click add

Enter a Name
Set Zone Assignment to LAN and Type to Network.
For Network, enter 10.198.62.0 and for Netmask/Prefix Length, enter 255.255.254.0.

Create address object for remote network.

Navigate to Manage| Object | Address objects and click add

Enter a Name
Set Zone Assignment to VPN and Type to Network.
For Network, enter 172.16.16.0 and for Netmask/Prefix Length, enter 255.255.255.0.

Enable VPN.

Go to Manage | VPN | Base settings.
Select Enable VPN.
Navigate to System setup | Appliance| Base Settings | Firewall Name and enter a value in Unique Firewall Identifier

Configure VPN policy.

Click Manage in the top navigation menu.
Navigate to VPN | Base Settings,click Add. The VPN policy window is displayed.
In the General menu, under Security Policy, set Policy Type to Site to site VPN.
Set Authentication Method to IKE using Preshared Secret.
Enter Name.
For IPsec Primary Gateway Name or Address, enter 10.198.67.43.
Under IKE Authentication, enter Shared Secret and confirm .
Set Local IKE ID and Peer IKE ID to IPv4 Address.
Click the Network menu.
Under Local Networks, select Choose local network from list and set it to Sonicwall_LAN.
Under Remote Networks, select Choose destination network from list and set it to XG_LAN.

Configure the proposals tab.

Exchange: IKEv2 Mode
DH Group: Group 14
Encryption: 3DES
Authentication: MD5
Select Enable windows networking(NetBIOS) Broadcast in Advanced | Advanced settings.
Set VPN Policy bound to Zone WAN
Click OK to save the configuration.

Activate the connection

XG Firewall

Navigate to Configure | VPN | IPsec connections.
Under Status, click the red button under Connection to establish the connection.

SonicWALL

Navigate to VPN | Settings | VPN Policies.
Select the connection and click Add. It will now appear under Currently Active VPN Tunnels.

Run a ping test from the XG Firewall to the SonicWall and vice versa to check the connection.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

How to configure Site-to-Site IPsec VPN between SonicWall and Sophos Firewall

Description

Resolution

Sophos XG Firewall

Sonicwall configuration

Resolution for SonicOS 7.X

Activate the connection

XG Firewall

Resolution for SonicOS 6.5

Activate the connection

XG Firewall

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch