Getting Started with IPsec

Site-to-Site VPNs on Sophos

Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW3020: Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 1

 Getting Started with IPsec Site-to-Site VPNs on Sophos
Firewall
In this chapter you will learn how RECOMMENDED KNOWLEDGE AND EXPERIENCE
to configure IPsec site-to-site ✓ Sophos Firewall zones and interfaces
VPN connections for simple ✓ Protocols used for VPN access
environments.

DURATION

11 minutes

In this chapter you will learn how to configure IPsec site-to-site VPN connections for simple
environments.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 2

 IPsec Site-to-Site VPNs
Route-based VPN Policy-based VPN
• VPN connection is • Local and remote networks
independent of routes for are defined as part of the
traffic VPN

• Routes can be modified • VPN must be edited to

without disconnecting VPN change networks and
requires disconnecting and
• Routes are created manually reconnecting

• Routes are created

automatically

Sophos Firewall supports two types of IPsec VPN; route-based and policy based.

With route-based VPNs you create a VPN connection between two firewalls, then separately
configure routing for the traffic you want to send over the connection.

With policy-based VPNs, you define the local and remote networks as part of the VPN connection
and routes will be created for these networks only.

The advantage of route-based VPNs is that you can make changes to the traffic being routed over
the connection without having to edit, and therefore disconnect and reconnect, the VPN.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 3

 IPsec VPN profiles are configured in:
IPsec VPN Profiles SYSTEM > Profiles > IPsec profiles

Security parameters used to establish and maintain the VPN connection

Both sides of the VPN must allow the same settings

There are several profiles provided out-of-the-box

IPsec VPNs require a matching set of algorithms and settings on both ends for a tunnel to be
successfully created. On the Sophos Firewall these are configured in IPsec profiles.

There are several preconfigured profiles that ship with the Sophos Firewall, but these can be
cloned and modified to meet your requirements. This may be necessary to meet compliance
criteria, or to create a VPN with a third-party device.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 4

 Route-Based VPN

xfrm tunnel interface

Sophos Firewall Sophos Firewall

172.16.16.0/24 172.20.77.0/24 192.168.16.0/24 192.168.2.0/24

When you create a route-based VPN, an xfrm tunnel interface is created on the Sophos Firewall.
This can be configured like any other interface, except it is always in the VPN zone. You can create
routes, NAT rules, and firewall rules in the same way you would for any other traffic.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 5

 IPsec VPNs are configured in:
Creating the VPN Tunnel Interfaces CONFIGURE > Site-to-Site VPN > IPsec

Select the Tunnel interface

connection type

At least one side of the

connection must be configured to
initiate the connection

Select either:
• Preshared key
• Digital certificate
• RSA key

Let’s look at how you can configure this. We will look at the configuration for one side of the
tunnel; however, this will need to be done on both ends.

The first step is to create the tunnel interfaces. This is done by creating a new IPsec configuration;
select Tunnel interface for the connection type.

You will notice that when you select tunnel interface the IP version automatically changes to Dual,
as tunnel interfaces support both IPv4 and IPv6.

One side of the connection must be configured to initiate the connection. The other can be
configured to only respond.

In the ‘Encryption’ section, select the IPsec profile and type of authentication you want to use.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 6

 Creating the VPN Tunnel Interfaces

You do not need to specify the local and

remote networks for tunnel interfaces

In the ‘Gateway settings’ section, select the local interface that will be used to create the VPN
connection and enter the IP address of the firewall that will be on the other side.

When configuring the local and remote gateways you do not specify the local and remote networks
for tunnel interfaces; however, you must set the remote gateway address. Unlike IPsec VPNs, you
cannot use a wildcard for the remote gateway address even if the tunnel interface is configured to
respond only.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 7

 Configuring the Tunnel Interfaces

Tunnel interfaces are always in

the VPN zone

Once you have saved the IPsec connection you will see a new interface has been created for it. The
interface will be bound to the physical interface selected when you created the IPsec connection.

The interface itself is configured in the same way as any other interface; however, you cannot
configure the zone. Tunnel interfaces are always in the VPN zone.

You must ensure that the tunnel interfaces at each end of the tunnel are in the same subnet.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 8

 Routing for Route-Based VPNs
Configure routes to send the traffic over the tunnel
Supports static routes, SD-WAN policy routes, and dynamic routing

Once you have configured the tunnel interfaces you can create routes for the traffic to use the
VPN. Routing can be configured using static routes, SD-WAN policy routes, and dynamic routing.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 9

 Simulation: Create a Route-Based IPsec Site-to-Site VPN

In this simulation you will create a

route-based IPsec site-to-site VPN
between two Sophos Firewalls.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/IpsecVpnS2s/1/start.html

In this simulation you will create a route-based IPsec site-to-site VPN between two Sophos
Firewalls.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 10

 Policy-Based IPsec VPN: IPsec VPN Wizard

Step-by-step guide for creating

IPsec VPNs

IPsec VPN policies are configured in:

CONFIGURE > VPN > IPsec Connections

Additional information about the

configuration shown on the left

We will now look at configuring policy-based VPNs.

There is a wizard that can be launched from the IPsec site-to-site VPN page, which can be used to
create a policy-based VPN. The wizard will walk through the steps necessary to create a VPN,
providing additional help and descriptions for each field on the left.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 11

 Policy-Based IPsec VPN 1

Let’s walk through the configuration created by the wizard.

In the ‘General settings’ you can choose between IPv4 or IPv6 and whether the Sophos Firewall
should only respond to VPN requests or try to initiate them.

When you are creating a new VPN you can also optionally choose to have the Sophos Firewall
automatically create firewall rules, although these will be fairly general and should be reviewed.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 12

 Policy-Based IPsec VPN 2

Copy this to the ‘Remote RSA Copy this from the ‘Local RSA
key’ field on the peer device key’ field on the peer device

In the ‘Encryption’ section you select the VPN profile, either one of the out-of-the-box profiles, or
one you have created yourself. Select the authentication type, which can be either a pre-shared
key, an RSA key, or a digital certificate.

Pre-shared keys are a passphrase that is entered on both devices. This is generally the weakest
authentication type, mostly because the key length is usually short in comparison to the other
options.

RSA keys are public private key pairs. The public key is copied from each device to the other device.
This provides good security, as the key length is much longer, and different keys are used for each
device. As a bonus, you do not need to create a passphrase, you can simply copy and paste the
keys.

Digital certificates are the most secure option, but take some additional effort to configure. They
provide similar public private key pairs to RSA keys, but are also signed by trusted certificate
authorities, and have the longest key lengths.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 13

 Policy-Based IPsec VPN 3

In the ‘Gateway settings’ you configure the interface the Sophos Firewall will use for the VPN and
where it will be connecting to. If the remote side has a dynamic IP address a wildcard can be used;
however, this also means the Sophos Firewall cannot initiate the connection as it does not know
where to connect to.

IPsec VPNs can also have an ID, which can be based on DNS, IP address, email address, or an X.509
certificate name.

Finally, you need to define which networks will be available over the VPN. That is, the local
networks that remote devices will be able to access, and the remote networks you expect to be
able to access over the VPN.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 14

 IPsec Acceleration

XGS Series Appliances Support IPsec Acceleration

Cipher and Authentication Combinations

SUPPORTED UNSUPPORTED

• AES-CBC 128/192/256-bit AES keys • DES, 3DES

with SHA-1, SHA-256, SHA-384, or • TwoFish
SHA-512 HMAC • MD5
• AES-GCM with 128/192/256-bit AES
key
• NULL cipher with 128-bit GMAC
authentication

Sophos XGS Series appliances support IPsec acceleration, which offloads the IPsec encryption and
decryption to the NPU.

This is both faster in terms of performance, but it is also offloading work from the CPU, freeing up
cycles to work on other security processing functions.

Here you can see that the most used ciphers and authentication combinations are supported, with
only DES, 3DES, TwoFish, and MD5 being unsupported.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 15

 IPsec Acceleration
console> system ipsec-acceleration disable

This will restart all IPsec tunnels and stop offloading IPsec VPN traffic
to the Xstream flow processor.

Turn off IPsec acceleration(Y/N)?

Y

console> system ipsec-acceleration enable

This will restart all IPsec tunnels and offload IPsec VPN traffic to the
Xstream flow processor.

Turn on IPsec acceleration(Y/N)?

Y

IPsec acceleration is configured on the Console using the system ipsec-acceleration command to
enable and disable the feature.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 16

 IPsec Acceleration
SOPHOS FIREWALL
Kernel does packet
encapsulation and adds
the ESP header
KERNEL

ESP + Request

The NPU detects the

encapsulated packet and
performs the encryption
NPU/Xstream Processor
Request ESP Request

With IPsec acceleration enabled, when a packet comes in the kernel will still perform the
encapsulation, but it will not encrypt the packet.

The NPU will detect the ESP header and perform the encryption on the packet.

The reverse will happen with the reply. The NPU will decrypt the packet and the kernel will remove
the encapsulation.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 17

 IPsec Acceleration with Firewall Acceleration (FastPath)
SOPHOS FIREWALL

KERNEL

NPU does packet

encapsulation and adds The NPU detects the
the ESP header encapsulated packet and
performs the encryption
NPU/Xstream Processor
Request ESP + Request ESP Request

If you also have firewall acceleration enabled, offloading to the FastPath, the NPU will do the
packet encapsulation and the encryption. This is the ideal scenario.

The opposite is true with IPsec acceleration and firewall acceleration both disabled, as the kernel
will do both the encapsulation and encryption.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 18

 Chapter Review
IPsec profiles contain the security parameters to establish and maintain the VPN. Both
sides of the VPN need to support the same settings

Route-based VPNs create an xfrm interface that is configured like any other interface.
Routes are created manually, separate to the connection

Policy-based VPNs define the networks, and routes are created automatically. The VPN
requires a reconnection if you edit the networks for the VPN

Firewall rules can be created automatically when you create a policy-based VPN but are
broad and should be edited

Here are the four main things you learned in this chapter.

IPsec profiles contain the security parameters to establish and maintain the VPN. Both sides of the
VPN need to support the same settings.

Route-based VPNs create an xfrm interface that is configured like any other interface. Routes are
created manually, separate to the connection.

Policy-based VPNs define the networks, and routes are created automatically. The VPN requires a
reconnection if you edit the networks for the VPN.

Firewall rules can be created automatically when you create a policy-based VPN but are broad and
should be edited.

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 23

Getting Started with IPsec Site-to-Site VPNs on Sophos Firewall - 24