Sophos XG Firewall v18 to Azure VPN Gateway IPSEC Connection
Create Azure Local Network Gateway:
a. Go to the Azure Portal: https://portal.azure.com and sign in with your credentials.
b. Click on "Create a resource".
c. In the search box, type "Local Network Gateway".
d. Select "Local Network Gateway" and click on "Create".
e. In the "Create local network gateway" blade, configure the following and then click on "Create":
> Name You can give this any preferred name.
> Endpoint: IP address
> IP address: Specify the public IP address of your Sophos XG firewall.
> Address space: Specify the address ranges for the network that your On-Prem local network represents.
> Subscription: Verify that the correct subscription is selected for the deployment.
> Resource Group: Select the resource group that you want to use. You can either create a new resource group or select an existing one.
Create a Gateway Subnet:
a. In the Azure Portal: https://portal.azure.com, click on 'More Services'.
b. In the search box, type 'Virtual Networks' and select the 'Virtual Networks' option.
c. Click on the virtual network for which you want to create a virtual network gateway.
d. In the 'Virtual networks' blade, under 'Settings' click on 'Subnets'.
e. In the 'Subnets' blade, click on '+ Gateway subnet" to add a new Gateway subnet.
f. In the 'Add Subnet' blade, configure the CIDR range of the new Gateway subnet and click 'Save'.
Create the VPN Gateway:
1. In the Azure Portal: https://portal.azure.com, click on 'Create a resource'.
2.In the search box, type 'Virtual network gateway'.
3. Select 'Virtual network gateway' and click on 'Create'.
4. In the 'Create virtual network gateway' blade, configure the following:
i. Subscription: Verify that the correct subscription is selected for the deployment.
ii. Instance details:
> Name: This will be the name of the gateway object you are creating. > Region: Select the same location as your virtual network (Otherwise the virtual network will not be displayed on the list). > Gateway type: VPN > VPN type: Route-based (this is a MUST to be able to use IKEv2). > SKU: Select the gateway SKU from the dropdown. For more information about gateway SKUs, see Gateway SKUs. > Generation: Generation 1 > Virtual network: Choose the virtual network to which you want to add this gateway.
iii. Public IP address:
> Public IP address: Create New > Public IP address Name: Enter a Name for the public IP address resource. > Leave other settings as default. > Click on 'Review + Create' > Click on 'Create' > Creating a gateway can take up to 45 minutes!
e. After the VPN gateway creation has completed successfully, obtain it's public IP address (this will be needed in step 5).
i. In the Azure Portal, click on 'More services' and search for 'Virtual network gateways'. Then click on 'Virtual network gateways'.
ii. Click on the VPN Gateway that you just created.
iii. In the 'VPN Gateway' blade, in the 'Overview' section, make a note of the public IP address of the gateway.
iv. This will be used in step 5.
Create the VPN connection (Azure):
a. In the Azure Portal: https://portal.azure.com, click on 'More services' and search for 'Virtual network gateways'. Then click on 'Virtual network gateways'.
b. Select the VPN gateway that you created earlier.
c. In the 'VPN Gateway' blade, in the 'Setting'" section, click on 'Connections', then click on '+ Add'.
d. In the 'Add connection' blade, configure the following:
i. Name: Sophos_Xg_OnPrem_To_Azure (Input your preferred name)
ii. Connection type: Site-to-site (IPSec)
iii. Virtual network gateway: The value is fixed because you are connecting from this gateway
iv. Local network gateway:
> Click 'Choose a local network gateway' > In the 'Choose a local network gateway' blade, select the local network gateway that you created earlier.
v. Shared key (PSK): Input a complex shared key. The value here must match the value that we will use on our on-premises Sophos XG firewall.
vi. IKE Protocol: IKEv2
vii. The remaining values for Subscription, Resource Group, and Location are fixed.
viii. Click OK to create your connection. You'll see Creating Connection flash on the screen.
Download and extract needed information from the configuration file (Azure):
a. In the Azure Portal: https://portal.azure.com, click on 'More services' and search for 'Virtual network gateways'. Then click on 'Virtual network gateways'.
b. Select the VPN gateway that you created earlier.
c. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then select the connection that you created earlier.
d. Click on the "Download configuration" button. This configuration file contains the needed information to configure the VPN connection on the XG Firewall.
e. In the 'Download configuration' blade, select the following:
i. Device vendor: Generic Samples
ii. Device family: Device Parameters
iii. Firmware version: 1.0
iv. Click on 'Download configuration'.
f. Open the downloaded file and make a note of the following:
i. Scroll down to the "Tunnel interface (VTI) configuration" section.
ii. Make a note of the interface tunnel IP address and subnet mask
iii. Also, make a note of the MSS value.
iv. Both values will be needed for the configuration of the "xfrm tunnel interface" on the Sophos XG.
Create the VPN connection (Sophos XG Firewall):
a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Configure", click on "VPN" -> "IPSEC Connections" -> "Add".
c. Configure the following settings:
i. General Settings:
> Name: Input any preferred name. > Connection type: Tunnel interface > IP version: Dual > Gateway type: Initiate > Activate on save: Selected > Description: Add a description for the connection.
ii. Encryption: > Policy: Microsoft Azure > Authentication Type: Pre-shared key > Pre-shared key: Enter the same pre-shared key that you entered when creating the VPN connection on Azure. > Repeat pre-shared key: Confirm the above pre-shared key.
iii. Gateway settings:
> Listening interface: Select the WAN interface of the Sophos XG Firewall. > Gateway address: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5). > Local ID: IP Address > Remote ID: IP Address > Local ID: Enter the public IP of the OnPrem Sophos XG firewall. > Remote ID: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5). > There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0". iv. Advanced: > Leave default settings.
v.Click "Save".
vi. Click "OK" when prompted about the "Pre-shared key".
vii.The connection should now be active. Click on the "red" button under Connection to enable the connection.
Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall):
a. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
b. Under "Protect", click on "Rules and policies" -> "Add firewall rule" -> "New firewall rule".
c. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
i. Rule status: None
ii. Rule name: azure_to_onprem
iii. Action: Accept
iv. Rule position: Top
v. Rule group: None
vi. Log firewall traffic: Selected
vii. Source
> Source zones: LAN and VPN > Source networks and devices: Any > During scheduled time: Leave default setting
viii. Destination & services
> Destination zones: LAN and VPN > Destination networks: Any > Services: Any
ix. Leave other settings as default.
> You can configure the security checks of the XG for the traffic if you want to.
x. Click on "Save".
Configure the xfrm tunnel interface (Sophos XG Firewall):
a. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
b. Under "Configure", click on "Network" -> under "Interfaces", click on the xfrm interface.
c. In the "Network" configuration window, configure the following:
i. IPv4/netmask: Enter the IP address and select the subnet mask that you made a note of in Step 5 (6).
ii. Expand "Advanced settings".
> Select "Override MSS" and enter the MSS value that you made a note of in Step 5 (6).
iii. Click on "Save".
iv. In the "Update interface" prompt, click "Update interface".
Configure static routing to the Azure network (Sophos XG Firewall):
a. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
b. Under "Configure", click on "Routing" -> under "Static Routing", click on "Add".
c. In the "Add unicast route" window, configure the following:
i. Destination IP/Netmask: Enter the network IP and subnet mask of your Azure virtual network.
ii. Gateway: You can either leave this empty
iii. OR enter the second IP address in the network that you made a note of in Step 5 (6).
iv. Interface: Select the XG's xfrm tunnel interface.
v. Distance: Leave default setting.
vi. Click on "Save"
Verify the VPN connection:
a. Do a connectivity test from an on-premise instance to an Azure VM.
b. Do a connectivity test from an Azure VM to an on-premise instance.
c. In the Azure Portal: https://portal.azure.com, go to "Virtual network gateways" and select the virtual network that you connected to.
d. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections".
e. In the "VPN Gateway - Connections" blade, ensure that the status of the connection is "Connected"
f. Click on the connection and ensure that you're seeing data flow.
i. If you see 0B doesn't mean that the connection is not working, it just means that there's no data flow detected on the Azure side.
Sophos XG Firewall v18 to AWS VPN Gateway IPSEC Connection
Create AWS Customer Gateway:
a. Go to the AWS Portal: https://aws.amazon.com/console/ and sign in with your credentials.
b. Under 'Services', click on 'VPC'.
c. Filter your VPC, for the ease of navigation.
d. On the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
> Click on 'Customer Gateways'.
e. In the "Create customer gateway" blade, configure the following:
i. Name: Specify any descriptive name.
ii. Routing: Specify the mode of routing to be used. In our scenario, Select Static.
iii. IP Address: Specify the public IP address of your Sophos XG firewall.
iv. Certificate ARN(optional): In our scenario, no Certificate is selected.
v. Device(optional): In our scenario, no Device is selected.
f. Click on Create Customer Gateway.
Create a Virtual Private Gateway (Attaching the VGW with your VPC):
a. Select the virtual network for which you want to create a virtual network gateway.
b. In the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
c. Click on 'Virtual Private Gateways'.
d. In the "Create Virtual Private Gateway" blade, configure the following:
i. Name tag: Specify a descriptive Name
ii. ASN: Select the applicable option. In our scenario, select Amazon default ASN
e. Click on Create Virtual Private Gateway.
f. Attach Virtual Private Gateway (VGW) to the VPC.
i. Select the newly created VGW.
ii. Click on Actions and select Attach to VPC.
Create the Site-to-Site VPN connection (AWS):
a. In the left navigation pane, scroll down to Site-to-Site VPN Connections.
b. Click on 'Create VPN Connection'.
c. In the "Create VPN Connection" blade, configure the following:
i. Name Tag
ii. Target Gateway Type
iii. Virtual Private Gateway
iv. Customer Gateway
v. Customer Gateway ID
vi. Routing Options
vii. Static IP Prefixes
viii. Local IPv4 Network = XG LAN resources
ix.Remote IPv4 Network = AWS side resources
d.Click on 'Create VPN Connection' to create the AWS VPN.
Download and extract needed information from the configuration file (AWS):
a. Select the newly created VPN connection and click on Download Configuration.
b. In the "Download configuration" blade, select the following:
i. Vendor: Generic
ii. Platform: Generic
iii. Software: Vendor Agnostic
iv. Click on "Download"
Create a route in the route table associated with your VPC:
a. In the left navigation pane:
i. Filter by VPC: Select your VPC.
b. Navigate to VIRTUAL PRIVATE CLOUD > Route Tables.
c. Select the associated Route Table.
d. In the bottom navigation:
i. Select the Routes tab.
ii. Click on Edit routes.
e. Click on Add route and configure the following:
i. Destination: Private IP address range behind XG firewall. Typically, the remote private IP address is the LAN interface network on the on-prem Sophos XG firewall.
ii. Target: Select the Virtual gateway created in Step 2.
iii. Click on Save routes.
Create the VPN Policy (Sophos XG Firewall):
a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Create a new policy in Sophos XG matching the parameters specified in the document downloaded in the previous step.
c. Navigate to CONFIGURE>VPN.
d. Click on the "..." to expand the menu, and select IPsec policies.
e. In the IPSec policies blade, configure the following:
i. Name: Specify a descriptive name
ii. Key exchange: Select IKEv1
iii. Authentication mode: Select Main mode
f. Scroll down to configure the parameters for Phase 1. These should match the downloaded configuration obtained in Step 4(2).
g. In our scenario, configure the following Phase 1 parameters on Sophos XG:
i. Key life: 28800
ii. DH group (key group): 2[DH1024] iii. Encryption: AES128
iv. Authentication: SHA1
h. Scroll down to configure the parameters for Phase 2. These should match the downloaded configuration obtained in Step 4(2).
i. In our scenario, configure the following Phase 2 parameters on Sophos XG:
i. Key life: 3600
ii. DH group (key group): Same as phase-I
iii. Encryption: AES128
iv. Authentication: SHA1
j. Scroll down to configure the parameters for Dead Peer Detection.
i. Enable Dead peer Detection checkmark.
ii. Click Save.
Create the VPN Connection (Sophos XG Firewall):
a. Under "Configure", click on "VPN" -> "IPSEC Connections" -> "Add".
b. Configure the following settings:
c. General Settings
i. Name: Input any preferred name
ii. Connection Type: Tunnel interface iii. IP Version: Dual
iv. Gateway Type: Initiate the Connection
v. Activate on Save: Selected
vi. Description: Add a description for the connection
d. Encryption
i. Policy: Select the policy created in Step 6
ii. Authentication Type: Preshared Key
iii. Preshared Key: Enter the preshared key as available from the downloaded configuration obtained in Step 4(2).
iv. Repeat Preshared Key: Confirm the above-preshared key
e. Gateway Settings
i. Listening Interface: Select the WAN interface of the Sophos XG firewal l ii. Gateway Address: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
iii. Local ID: IP Address
iv. Remote ID: IP Address
v. Local ID: Enter the public IP of the OnPrem Sophos XG firewall
vi. Remote ID: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
vii. There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".
f. Advanced
i. Leave default settings
g. Click "Save".
h. Click "OK" when prompted about the "Preshared key".
i. The connection should now be active and in a connected state.
Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall):
a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Protect", click on "Rules and Policies" -> "Add Firewall Rule" -> "New Firewall Rule".
c. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
i. Rule status: ON
ii. Rule Name:XGS_to_AWS
iii. Action: Accept
iv. Rule Position: Top
v. Rule group: Automatic or select your VPN group
vi. Log firewall traffic: Selected
d. Source and destination
i. Source Zones: LAN
ii. Source Networks and Devices: IP or Network of the device(s) that will be reaching AWS
iii. Destination Zones: VPN
iv. Destination Networks: IP or Network of the device(s) in AWS
v. During Scheduled Time: Leave the default setting
e. Leave other settings as default.
i. You can configure the security checks of the XG for the traffic if you want to.
f. Click on "Save".
g. Create a Second Firewall Rule in case Traffic is initiated by the AWS side
i. Rule status: ON
ii. Rule Name: AWS_TO_XGS
iii. Action: Accept
iv. Rule Position: Top
v. Rule group: Automatic or select your VPN group
vi. Log firewall traffic: Selected
h. Source
i. Source Zones: VPN
ii. Source Networks and Devices: IP or Network of the device(s) that will be reaching XGS
iii. Destination Zones: LAN
iv. Destination Networks: IP or Network of the device(s) behind the XGS
v. During Scheduled Time: Leave the default setting
i. Leave other settings as default.
i. You can configure the security checks of the XG for the traffic if you want to.
j. Click on "Save".
Configure the xfrm tunnel interface (Sophos XG Firewall):
a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Configure", Click on "Network" -> Under "Interfaces", click on the xfrm interface.
c. In the "Network" configuration window, configure the following:
i. IPv4/netmask: Enter the IP address. The IP address can be found under Inside IP Addresses >Customer Gateway, as obtained from the configuration file downloaded in Step 4(2).
d. Expand "Advanced Settings"
i Select "Override MSS" and enter the MSS value as obtained from the configuration file downloaded in Step 4(2).
e. Click on "Save".
f. In the "Update interface" prompt, click "Update interface".
Configure static routing to the AWS network (Sophos XG Firewall):
a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Configure", click on "Routing" -> Under "Static Routing", click on "Add".
c. In the "Add unicast route" window, configure the following:
i. Destination IP/Netmask: Enter the network IP and subnet mask of your AWS virtual network
ii. Gateway: To be left empty
iii. Interface: Select the XG's xfrm tunnel interface
iv. Distance: Leave default setting
v. Click on "Save"
Verify the VPN connection:
a. In the AWS Portal: https://console.aws.amazon.com/, go to "Virtual Private Network(VPN") and select Site-to-Site VPN Connections.
b. In the "VPN Connection" blade, ensure that the status of the Tunnel is "UP".
c. Check the EC2 Security Groups are allowing RDP
d. Download the Remote Desktop file for your EC2 instance from AWS
e. Perform a connectivity test from an on-premise instance to an AWS VM.
Sophos XG IPsec VPN to Google Cloud Platform
Navigate to Networking>Hybrid Connections>VPN and click on the +Create button
Name: Anything lowercase, numbers and hyphens (no spaces)
Description: Any
Network: Either pick your virtual network or use "Default"
Region: Same region as your VM's/services
IP address: If you already have a reservation here and its free you can pick it, or create new reservation by clicking "create IP Address"
In the Tunnels Section:
Name: Anything lowercase, numbers and hyphens (no spaces)
Description:
Remote peer IP address: your XG's external IP
IKE version: IKEv2
Shared Secret: enter a secret here or click "Generate" (and copy it someplace safe as we will need this a little later)
Routing options: Policy base - enter your remote and local networks
Click done and the platform will spin the VPN config into life.
On your XG Navigate to Configure>VPN> IPsec Connections:
Click Add
Name: something suitable
Description:
IP Version: IPv4
Connection Type: Site-to-Site
Gateway Type: Respond Only
Policy: Cloned/modified IKEv2
Authentication Type: Preshared Key - And add the secret you either entered or generated earlier
Local Gateway: your WAN Port/IP
Local ID TYPE/Local ID - not used
Gateway Address: Your Google IP Address (you can find this on your GCP VPN page)
Remote ID Type/ Remote ID - not used
Add your local & remote networks as needed
Sophos XG Firewall and Oracle Cloud Infrastructure (OCI) policy-based IPsec
First, create a DRG:
a. Within networking, it's in the menu on the left side.
b. There not many properties to a DRG just its name.
Next, create a new CPE:
a. Also left side menu.
b. The CPE has a few more properties this is where you specify the WAN address of the on-premise equipment.
Now we create the IpSec connection:
a. Left side menu IPsec connection.
b. The default of an ipsec connection is policy based "static" not route based "dynamic"
For the connection you will need to define the following:
a. Name:
b.
c. DRG: select from the drop down
d. CPE: select from the drop down.
e. Static route Cidr: add on-premise networks here, click the "additional static routes" button to add more on-premise networks.
Click the "show advanced"
a. within the CPE identifier, add the WAN address you used for defining the CPE.
b. Click the tunnel1 tab, define a name like "primary" and define a shared secret.
c. Click the tunnel2 tab, define a name like "backup" and define a shared secret.
Finish up clicking the "create ipsec connection".
Before we configure the XG to connect, collect the Oracle VPN's WAN IP addresses:
a. Click on IPsec connections
b. Click on the name of your IPsec connection, at the bottom of the page
c. In the section "Tunnels in " you will see a column for "Oracle VPN IP Address" make note of the primary and backup IP addresses.
Now we have all the pieces to define the IPsec policy and connection on the Sophos XG on-premise firewall.
a. Within Sophos XG go to VPN, click the ellipses to the far right, from the drop down select "IPsec policies"
b. Click the "Add" button and define the Phase1 & Phase2 as noted below:
i. Phase1:
mode: main
allow re-keying
dh group: 2 & 5
lifetime: 28800
encryption aes-256
authentication: sha2 256
ii. Phase2:
pfs group: 5
encryption: aes256
authentication: sha1
In the XG you will get a warning about using sha1, note that oracle documentation states to use sha1-96
key lifetime: 3600
Within the XG go to VPN > IPsec connections
Add a new connection
a. type: site-to-site
b. mode type: initiate
c. Policy: the one you created above.
d. shared secret: the one you defined for the primary tunnel.
e. Listening interface: should match the WAN IP, the oracle CPE and ipsec ike cpe identifier configured to receive the tunnel from.
f. Gateway Address: this is the WAN IP of the primary oracle VPN.
For local/remote networks:
a. Local networks
i. Include any on-premise network.
b. Remote networks
i .These would be any subnet within OCI you wish to be reachable through the tunnel.
