Create a policy-based IPsec VPN using preshared key - Sophos Firewall (2024)

Table of Contents
Network diagram Head office configuration Configure the LANs Add an IPsec connection Edit firewall rule to create inbound rule Allow access to services Branch office configuration Configure the LANs Add an IPsec connection Edit firewall rule to create outbound rule Allow access to services Check tunnel's connectivity FAQs

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-policy-based-IPsec

You can configure an IPsec VPN between the head office and a branch office.

In this example, we've used a preshared key for authentication.

Network diagram

Head office configuration

Configure the LANs

Create hosts for the head office and branch office networks at the head office.

  1. Go to Hosts and services > IP host and click Add.

  2. Configure the IP hosts for the local and remote subnets as follows:

    Setting IP host 1 IP host 2
    Name HQ_LAN Branch_LAN
    IP version IPv4 IPv4
    Type Network Network
    IP address 192.10.10.0 192.20.20.0

  3. Click Save.

Add an IPsec connection

Create and activate an IPsec connection at the head office.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Select IPv4.
  4. Select Create firewall rule.
  5. Set Connection type to Site-to-site.

  6. Set Gateway type to Respond only.

    The head office firewall usually acts as the responder, and the branch office firewalls as tunnel initiators because they are many. We recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.

  7. Set Profile to Head office (IKEv2).

    IKEv2 allows you to have unique preshared keys for unique local-remote ID combinations.

  8. Set Authentication type to Preshared key.

    See Also
    Advantages of Site to Site VPN with IKEv2 over IKEv1 | SonicWallIKEv2 and IPsec VPN Protocols Explained | VeePN BlogWhat are differences between IKEv1 and IKEv2? (IKEv1 vs. IKEv2)How to Check the Status of the Tunnel’s Phase 1 and 2? - GeeksforGeeks

  9. Enter the preshared key and repeat it.

    Note the preshared key. You'll need to paste it in the branch office firewall's connection.

  10. For Listening interface, select the local interface Port1 - 172.10.10.1.

  11. Set Local ID type to IP address.

    You can select DNS, IP address, or email. The values are only for identification and don't have to be valid values in your network.

  12. For Local ID, enter 1.1.1.1.

  13. For Local subnet, select the local IP host you configured.

  14. Under Remote gateway, for Gateway address, enter the branch office gateway 172.20.20.1.

  15. Set Remote ID type to IP address.
  16. For Remote ID, enter 2.2.2.2.

  17. For Remote subnet, select the remote IP host you configured.

  18. Click Save.

    The connection appears on the list of IPsec connections.

  19. Click the status button Create a policy-based IPsec VPN using preshared key - Sophos Firewall (6) to activate the connection.

Edit firewall rule to create inbound rule

Edit the automatically created firewall rule when you saved the IPsec connection. You'll save it as a rule to allow inbound VPN traffic. Since you've set the IPsec connection to Respond only, you need a firewall rule to allow inbound traffic from the branch office.

  1. Go to Rules and policies > Firewall rules and click the IPsec HQ to Branch rule.

  2. (Optional) Change the rule name.

    See Also
    What is Site-to-Site VPN | Fortinet

  3. Set Source zones to VPN.
  4. Set Source networks and devices to Branch_LAN.
  5. Set Destination zones to LAN.
  6. Set Destination networks to HQ_LAN.

  7. Click Save.

Note

If you already have a firewall rule to allow inbound VPN traffic, you can add the remote subnet to its Source networks and devices and the local subnet to Destination networks. You don't need to create an independent firewall rule for each IPsec connection.

Allow access to services

Make sure you allow access from WAN to IPsec. To check tunnel connectivity, you can ping a remote IP address through the VPN connection you created.

  1. Go to Administration > Device access.
  2. Under IPsec, select WAN.
  3. Under Ping/Ping6, select VPN.
  4. Click Apply.

Branch office configuration

Configure the LANs

Create the hosts for the branch office and head office networks at the branch office.

  1. Go to Hosts and services > IP host and click Add.

  2. Configure the IP hosts for the local and remote subnets as follows:

    Setting IP host 1 IP host 2
    Name Branch_LAN HQ_LAN
    IP version IPv4 IPv4
    Type Network Network
    IP address 192.20.20.0 192.10.10.0

  3. Click Save.

Add an IPsec connection

You create and activate an IPsec connection at the branch office.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Select IPv4.
  4. Select Create firewall rule.
  5. Set Connection type to Site-to-site.

  6. Set Gateway type to Initiate the connection.

  7. Set Profile to Branch office (IKEv2).

  8. Set Authentication type to Preshared key.

  9. Paste the preshared key you've used in the head office firewall and repeat it.

  10. For Listening interface, select the local interface Port1 - 172.20.20.1.

  11. Set Local ID type to IP address.

    You must select the ID type you've selected in the head office firewall.

  12. For Local ID, enter 2.2.2.2.

  13. For Local subnet, select the local IP host you configured.

  14. Under Remote gateway, for Gateway address, enter the head office gateway (172.10.10.1).

  15. Set Remote ID type to IP address.
  16. For Remote ID, enter 1.1.1.1.

  17. For Remote subnet, select the remote IP host you configured.

  18. Click Save.

    The connection appears on the list of IPsec connections.

  19. Click Status Create a policy-based IPsec VPN using preshared key - Sophos Firewall (14) to activate the connection.

Edit firewall rule to create outbound rule

Edit the automatically created firewall rule when you saved the IPsec connection. You'll save it as a rule to allow outbound VPN traffic. because you've set the IPsec connection to initiate the connection.

  1. Go to Rules and policies > Firewall rules and click the IPsec Branch to HQ rule.
  2. (Optional) Change the rule name.
  3. Set Source zones to LAN.
  4. Set Source networks and devices to Branch_LAN.
  5. Set Destination zones to VPN.
  6. Set Destination networks to HQ_LAN.

  7. Click Save.

Note

If you already have a firewall rule to allow outbound VPN traffic, you can add the local subnet to its Source networks and devices and the remote subnet to Destination networks.

Allow access to services

Make sure you allow access from WAN to IPsec. To check tunnel connectivity, you can ping a remote IP address through the VPN connection you created.

  1. Go to Administration > Device access.
  2. Under IPsec, select WAN.
  3. Under Ping/Ping6, select VPN.
  4. Click Apply.

Check tunnel's connectivity

  • In the head office and branch office firewalls, check that you can ping the remote subnet.

    Example

    On the CLI, enter 5 for Device console, then enter 3 for Advanced shell.

    In the head office firewall, enter the following command: ping 192.20.20.2

    In the branch office firewall, enter the following command: ping 192.10.10.2

  • Click Rules and policies and go to the firewall rule you created to see the traffic.

Create a policy-based IPsec VPN using preshared key - Sophos Firewall (2024)

FAQs

What is required when creating an IPsec VPN policy in Sophos? ›

How to configure a policy-based VPN. To set up a site-to-site policy-based VPN, do as follows: On the local Sophos Firewall device, go to VPN > IPsec connections and configure an IPsec connection with connection type Site-to-site. For overlapping subnets at the local and remote networks, specify the NAT setting.

Read On
What is pre shared key in IPsec VPN? ›

A pre-shared key is a string of characters that is used as an authentication key. You can use pre-shared keys for site-to-site VPN authentication and with third-party VPN clients. Both gateways create a hash value based on the pre-shared key and other information.

Discover More Details
How to create a policy in Sophos firewall? ›

Create a policy
  1. Go to My Products and select the product where you want to create a policy.
  2. Click Policies.
  3. Click Add Policy (in the upper right).
  4. If you see an Add Policy dialog, select: The feature you want. ...
  5. On the policy details page, use the tabs to: Assign the policy.
Jan 11, 2024

Continue Reading
What is policy-based IPsec VPN? ›

A policy-based VPN is a configuration in which an IPsec VPN tunnel created between two end points is specified within the policy itself with a policy action for the transit traffic that meets the policy's match criteria.

See Details
How do I create an IPsec policy? ›

Creating an IPsec policy
  1. From the VPNs for VPC list page, select the Site-to-site gateways > IPsec policies tabs.
  2. Click Create + and specify the following information: ...
  3. Click Create IPsec policy.
  4. From the VPN connection details page, set the IPsec policies field to use the wanted IPsec policy.

Find Out More
How do I create an IPsec VPN? ›

How to Set Up an IPsec VPN Client
  1. Right-click on the wireless/network icon in your system tray.
  2. Select Open Network and Sharing Center. ...
  3. Click Set up a new connection or network.
  4. Select Connect to a workplace and click Next.
  5. Click Use my Internet connection (VPN).
  6. Enter Your VPN Server IP in the Internet address field.
Aug 26, 2021

Tell Me More
How to generate pre-shared key for VPN? ›

You can generate the pre-shared key directly in a document by using JavaScript with the W3C Web Cryptography API. This API uses the Crypto. getRandomValues() method, which provides a cryptographic way of generating a pre-shared key.

Show Me More
How do I get a Preshared key? ›

Check the Keychain (Applications > Utilities > Keychain Access). The Pre-Shared Key is usually saved here. Enter "Shared Secret" into the search bar to view a list of all your saved PSKs.

Explore More
Is the preshared key the password? ›

What is a pre-shared key (PSK)? To begin, a PSK and a password are not the same thing. A pre-shared key (PSK) is a super-long series of seemingly random letters and numbers generated when a device joins a network through a Wi-Fi access point (AP).

Continue Reading
How do I create a VPN in Sophos firewall? ›

Set up VPN and user portals
  1. Go to Authentication > Multi-factor Authentication.
  2. Under One-time password (OTP), select an option: All users. Specific users and groups. Select the users and groups.
  3. Turn on Generate OTP token with next sign-in.
  4. Under Require MFA for, select VPN portal.
  5. Click Apply.
Aug 30, 2024

Show Me More

What is the password policy for Sophos VPN? ›

Minimum password length, default is eight characters. Require at least one lowercase character. Require at least one uppercase character. Require at least one numeral.

Read The Full Story
What is the default policy of Sophos? ›

Sophos Central automatically applies base or default policies to all devices where you install our software. These policies give the recommended protection against threats immediately. You don't have to change or add policies if you don't want to. However, you might want to add additional or custom policies.

See Details
What is required when creating an IPsec VPN policy Sophos? ›

You must configure policy-based IPsec connections (Site-to-site and Host-to-host) and the corresponding firewall rules on both networks. You can configure these manually, or click Wizard and allow the assistant to help you specify the settings for policy-based VPNs.

Get More Info Here
What is the difference between routed VPN and policy-based VPN? ›

With route-based VPNs, a policy does not specifically reference a VPN tunnel. With policy-based VPN tunnels, a tunnel is treated as an object that, together with source, destination, application, and action, constitutes a tunnel policy that permits VPN traffic. The policy references a destination address.

Continue Reading
What is the difference between VPN and IPsec VPN? ›

The choice depends on user requirements. SSL VPNs are generally more user friendly and easier to use, providing secure access without requiring client software. IPSec VPNs are often preferred for their ability to secure all network traffic at the IP layer.

View More
What 2 things do you need to do to use IPS policies in Sophos? ›

Turn on IPS protection

To turn it on, go to Intrusion prevention > IPS policies. To be able to turn on IPS protection, you must have an active Network Protection subscription or a trial license. Turning firewall and PKI acceleration on or off restarts IPS each time.

View Details
What is required in order to create a VPN tunnel? ›

  1. Overview.
  2. Step 1: Create a VPN Gateway.
  3. Step 2: Create a Customer Gateway.
  4. Step 3: Create a VPN Tunnel.
  5. Step 4: Load the Configuration of the Local Gateway.
  6. Step 5: Configure a Routing Table.
  7. Step 6: Activate a VPN Tunnel.
Jan 9, 2024

See More
Which protocols are appropriate to use in a new IPsec policy? ›

Before we can protect any IP packets, we need two IPsec peers that build the IPsec tunnel. To establish an IPsec tunnel, we use a protocol called IKE (Internet Key Exchange). There are two phases to build an IPsec tunnel: IKE phase 1.

Learn More
What are the prerequisites for IPsec tunnel configuration? ›

To configure IPSec we need to setup the following in order:
  • Create extended ACL.
  • Create IPSec Transform.
  • Create Crypto Map.
  • Apply crypto map to the public interface.

Discover More Details
Top Articles
What Is a CD Ladder? Pros, Cons, Alternatives
Navigating USDA Loan Appraisal & Inspection Requirements in MI
Frases para un bendecido domingo: llena tu día con palabras de gratitud y esperanza - Blogfrases
Celebrity Extra
Hertz Car Rental Partnership | Uber
Paula Deen Italian Cream Cake
Vocabulario A Level 2 Pp 36 40 Answers Key
Umn Biology
Www.paystubportal.com/7-11 Login
Pollen Count Central Islip
今月のSpotify Japanese Hip Hopベスト作品 -2024/08-|K.EG
George The Animal Steele Gif
Labor Gigs On Craigslist
Illinois Gun Shows 2022
Cashtapp Atm Near Me
Craigslist Southern Oregon Coast
Dragger Games For The Brain
Craigslist Battle Ground Washington
Imouto Wa Gal Kawaii - Episode 2
Kimoriiii Fansly
Craigslist Pasco Kennewick Richland Washington
When His Eyes Opened Chapter 3123
Sams Gas Price Sanford Fl
Rural King Credit Card Minimum Credit Score
Bfsfcu Truecar
Renfield Showtimes Near Marquee Cinemas - Wakefield 12
Edward Walk In Clinic Plainfield Il
W B Crumel Funeral Home Obituaries
Best Weapons For Psyker Darktide
Pillowtalk Podcast Interview Turns Into 3Some
Solemn Behavior Antonym
New Gold Lee
Frcp 47
1v1.LOL Game [Unblocked] | Play Online
Craigslist Tulsa Ok Farm And Garden
Discover Wisconsin Season 16
Oppenheimer Showtimes Near B&B Theatres Liberty Cinema 12
Www.craigslist.com Waco
Myrtle Beach Craigs List
Az Unblocked Games: Complete with ease | airSlate SignNow
CrossFit 101
RubberDucks Front Office
Booknet.com Contract Marriage 2
Server Jobs Near
Sc Pick 3 Past 30 Days Midday
Mejores páginas para ver deportes gratis y online - VidaBytes
Stephen Dilbeck, The First Hicks Baby: 5 Fast Facts You Need to Know
Wrentham Outlets Hours Sunday
Osrs Vorkath Combat Achievements
Metra Union Pacific West Schedule
Bellin Employee Portal
login.microsoftonline.com Reviews | scam or legit check
Latest Posts
Running Home From School, He Was Shot by a Soldier and Blinded for Life
Tax collection and remittance by Airbnb in Canada
Article information

Author: Msgr. Refugio Daniel

Last Updated:

Views: 5774

Rating: 4.3 / 5 (74 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Msgr. Refugio Daniel

Birthday: 1999-09-15

Address: 8416 Beatty Center, Derekfort, VA 72092-0500

Phone: +6838967160603

Job: Mining Executive

Hobby: Woodworking, Knitting, Fishing, Coffee roasting, Kayaking, Horseback riding, Kite flying

Introduction: My name is Msgr. Refugio Daniel, I am a fine, precious, encouraging, calm, glamorous, vivacious, friendly person who loves writing and wants to share my knowledge and understanding with you.