Scribd Logo
Upload

Welcome to Scribd!

  • Sophos Firewall: How To Establish A Site-To-Site Ipsec VPN Connection Using Rsa Keys

    Uploaded by

    jasjusr
    125 views20 pages
    This document provides steps to configure a site-to-site IPsec VPN connection between two Sophos Firewall devices using RSA keys for authentication. It describes adding local and remote networks in each firewall, creating the IPsec VPN connection using the wizard, configuring firewall rules to allow VPN traffic, and testing the connection by verifying connectivity and VPN statistics. The roles of initiator and responder depend on whether dynamic IP is used, with the branch office typically initiating for availability.

    Original Description:

    Original Title

    support_sophos_com_support_s_article_KB_000035716_language_e

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides steps to configure a site-to-site IPsec VPN connection between two Sophos Firewall devices using RSA keys for authentication. It describes adding local and remote networks in each firewall, creating the IPsec VPN connection using the wizard, configuring firewall rules to allow VPN traffic, and testing the connection by verifying connectivity and VPN statistics. The roles of initiator and responder depend on whether dynamic IP is used, with the branch office typically initiating for availability.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    125 views20 pages

    Sophos Firewall: How To Establish A Site-To-Site Ipsec VPN Connection Using Rsa Keys

    Uploaded by

    jasjusr
    This document provides steps to configure a site-to-site IPsec VPN connection between two Sophos Firewall devices using RSA keys for authentication. It describes adding local and remote networks in each firewall, creating the IPsec VPN connection using the wizard, configuring firewall rules to allow VPN traffic, and testing the connection by verifying connectivity and VPN statistics. The roles of initiator and responder depend on whether dynamic IP is used, with the branch office typically initiating for availability.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 20

    PRODUCTS SOLUTIONS PARTNERS COMPANY

    Search... LOGIN

    HOME

    Quick Links
    Sophos Firewall: How to establish a Site-to-Site
    IPsec VPN connection using RSA Keys
    Sample Submissions
    KB-000035716 Mar 4, 2020 2 people found this article helpful

    Sophos Community
    English
    Sophos Labs

    Twitter Support
    Overview
    This article describes the steps to configure a Site-to-Site IPsec VPN connection using RSA keys as an
    authentication method for VPN peers.

    The following sections are covered:

    Configuring Sophos Firewall 1


    Configuring Sophos Firewall 2
    Establishing the IPsec connection
    Results
    Related information

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Applies to the following Sophos products and versions
    Sophos Firewall

    Configuring Sophos Firewall 1


    Add local and remote LAN
    Go to Hosts and Services > IP Host and select Add to create the local LAN.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Go to Hosts and Services > IP Host and select Add to create the remote LAN.

    Create an IPsec VPN connection


    Go to VPN > IPsec Connections and select Wizard. Give it a name and click on Start to follow the wizard.

    Select Site To Site as a connection type and select  


    Head Office.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Set the Authentication Type to RSA key.  

    The local RSA key is loaded automatically.

    You need to copy and paste the Remote RSA key


    from Sophos Firewall 2.

    Note: The RSA key is generated with 2048 bit by


    default. 

    In Local Subnet field, choose the local LAN created  


    earlier.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
     

    In Remote Subnet field, choose the remote LAN


    created earlier.

    Review the IPsec connection summary and click


    Finish.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
     

    By clicking Finish, the following screen is displayed, showing the above created connection.

    Click the under Status (Active) to activate the connection.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Add two firewall rules allowing VPN traffic
    Go to Firewall and click +Add Firewall Rule. Create two user/network rules as shown below.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Configuring Sophos Firewall 2
    Add local and remote LAN
    Go to Hosts and Services > IP Host and select Add to create the local LAN.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Go to Hosts and Services > IP Host and select Add to create the remote LAN.

    Create an IPsec VPN connection


    Go to VPN > IPsec Connections and select Wizard. Give it a name and click on Start to follow the wizard.

    Select Site To Site as a connection type and select


    Branch Office.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Set the Authentication Type to RSA key.

    The local RSA key is loaded automatically.

    You need to copy and paste the Remote RSA key


    from Sophos Firewall 1.

    Note: The RSA key is generated with 2048 bit by


    default.

    In Local Subnet field, choose the local LAN created


    earlier. 

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
     

    In Remote Subnet field, choose the remote LAN


    created earlier.

    Review the IPsec connection summary and click


    Finish.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
       

    By clicking Finish, the following screen is displayed, showing the above created connection.

    Click the under Status (Active) to activate the connection.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Add two firewall rules allowing VPN traffic
    Go to Firewall and click +Add Firewall Rule. Create two user/network rules as shown below.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Establishing the IPsec connection
    Once both Sophos Firewall devices at the head and branch offices are configured, establish the IPsec connection

    between them. Go to VPN >  IPsec Connections and click the under Status (Connection).

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Results
    A ping test from a machine behind Sophos Firewall 1 to a machine behind Sophos Firewall 2 and vice versa should
    work.

    Go to Firewall and verify that VPN rules allow ingress and egress traffic.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Go to Reports > VPN and verify the IPsec usage.

    Click on the connection name for details.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Note:

    Make sure that VPN firewall rules are on the top of the Firewall Rule list.
    In a head and branch office configuration, the Sophos Firewall on the branch office usually acts as the tunnel
    initiator and the Sophos Firewall on the head office as a responder due to the following reasons:
    When the branch office device is configured with a dynamic IP address, the head office device cannot
    initiate the connection.
    As the branch offices number vary, it is recommended that each branch office retry the connection
    instead of the head office retrying all connections to branch offices. 

    Related information
    Sophos XG Firewall v17: How to enable IKEv2 for IPsec VPN
    Sophos Firewall: How to change firewall rule order
    Sophos Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key
    Sophos Firewall: How to establish a Site-to-Site IPsec connection using Digital Certificates
    Sophos Firewall: How to apply NAT over a Site-to-Site IPsec VPN connection

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Sophos Firewall: How to configure an IPsec VPN connection with multiple end points
    Sophos Firewall: How to establish a Site-to-Site VPN connection between Cyberoam and Sophos Firewall
    using a preshared key
    Sophos Firewall: How to create a hub and spoke IPsec VPN
    Sophos Firewall: Troubleshooting steps when traffic is not passing through the VPN tunnel

    Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical
    issues.

    Previous article ID: 123139

    Did this article provide the information you were looking for?
    Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For
    technical support post a question to the community. Or click here for new feature/product improvements.
    Alternatively for paid/licensed products open a support ticket.
    Yes No

    Submit

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

    You might also like