IPsec VPN with firewall behind a router (2024)

Table of Contents
Configure the head office firewall Add an IPsec connection Edit the firewall rule Add a firewall rule Allow access to services on the head office firewall Configure a DNAT rule on the router Configure the branch office firewall Add an IPsec connection Edit the firewall rule Add a firewall rule Allow access to services on the head office firewall Check the connectivity Check the logs FAQs

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=8b5c71f6-9eed-4891-9c2a-a1273b058f50

You can configure IPsec VPN connections between firewalls behind a router. In this example, the head office firewall is behind a router and doesn't have a public IP address.

You must configure the following at the head office and the branch office:

  1. Firewall prerequisite: Configure IP hosts for the local and remote subnets.
  2. Configure the IPsec VPN connection.
  3. Optional: Edit the automatically created firewall rule to create an independent rule for outbound traffic.
  4. Optional: Create a firewall rule for inbound traffic if you want independent firewall rules.
  5. Allow access to services.
  6. Configure the router settings.
  7. Check connectivity.
  8. Check the logs.

Here's an example network diagram:

IPsec VPN with firewall behind a router (1)

Configure the head office firewall

Configure the IPsec connection and firewall rules.

Add an IPsec connection

Create and activate an IPsec connection at the head office.

  1. Go to VPN > IPsec connections and click Add.
  2. Enter a name.
  3. Select Activate on save.
  4. Select Create firewall rule.
  5. For Connection type, select Site-to-site.

  6. For Gateway type, select Respond only.

    Here's an example:

    IPsec VPN with firewall behind a router (2)

  7. For Profile, select DefaultHeadOffice.

  8. For Authentication type, select Preshared key.

  9. Enter a key and confirm it.

    Here's an example:

    See Also
    IPsec: The Complete Guide to How It Works and How to Use It | TwingateHow to Configure a Site-to-Site IPsec IKEv1 VPN TunnelIKEv2 VPN Protocol Explained: What It Is and How It WorksComparing IPsec vs. SSL VPNs - ONLC

    IPsec VPN with firewall behind a router (3)

  10. For Listening interface, select the local firewall's WAN port (example: 10.10.10.2).

  11. For Gateway settings, enter the remote firewall's WAN port (example: 203.0.113.10).
  12. For Local subnet, select the IP host you've created for 192.168.2.0.
  13. For Remote subnet, select the IP host you've created for 192.168.3.0.

  14. Click Save.

    Here's an example:

    IPsec VPN with firewall behind a router (4)

Edit the firewall rule

To configure an independent outbound VPN rule, edit the automatically created firewall rule. Alternatively, check the settings if you already have a firewall rule for VPN traffic.

  1. Go to Rules and policies > Firewall rules.

  2. Click the rule group Automatic VPN rules and click the rule you've created.

    Here's an example:

    IPsec VPN with firewall behind a router (5)

  3. Specify the following settings:

    Option Setting
    Rule name Outbound VPN traffic
    Source zones LAN
    Source networks and devices HQ_LAN
    Destination zones VPN
    Destination networks Branch_LAN
    Services Any

  4. Click Save.

    Here's an example:

    IPsec VPN with firewall behind a router (6)

Add a firewall rule

Create a firewall rule for inbound VPN traffic if you don't have one.

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule and select New firewall rule.

  3. Specify the following settings:

    Option Setting
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices Branch_LAN
    Destination zones LAN
    Destination networks HQ_LAN
    Services Any

  4. Click Save.

    Here's an example:

    IPsec VPN with firewall behind a router (7)

Allow access to services on the head office firewall

  1. Go to Administration > Device access.
  2. Under Ping/Ping6, select VPN.
    Users can ping the firewall's IP address through the VPN to check connectivity.
  3. Click Apply.

Configure a DNAT rule on the router

Do as follows:

  1. Make sure you configure a DNAT rule on the router to allow the VPN traffic:
    1. Set the original destination to the router's WAN interface (example: 203.0.113.1).
    2. Set the translated destination to the local firewall's WAN interface (example: 10.10.10.2).
  2. Allow the following services:
    1. UDP port 500
    2. UDP port 4500
    3. IP protocol 50

Configure the branch office firewall

Configure the IPsec connection and firewall rules.

See Also
The Best IPsec VPNs in 2023 | What is IPsec?

Add an IPsec connection

Create and activate an IPsec connection at the branch office.

  1. Go to VPN > IPsec connections and click Add.
  2. Enter a name.
  3. Select Activate on save.
  4. Select Create firewall rule.
  5. For Connection type, select Site-to-site.

  6. For Gateway type, select Initiate the connection.

    Here's an example:

    IPsec VPN with firewall behind a router (8)

  7. For Profile, select DefaultBranchOffice.

  8. For Authentication type, select Preshared key.

  9. Enter a key and confirm it.

    Here's an example:

    IPsec VPN with firewall behind a router (9)

  10. For Listening interface, select the local firewall's WAN port (203.0.113.10).

  11. For Gateway settings, enter the head office router's WAN port (203.0.113.1).
  12. For Local subnet, select the IP host you've created for 192.168.2.0.
  13. For Remote subnet, select the IP host you've created for 192.168.3.0.

  14. Click Save.

    IPsec VPN with firewall behind a router (10)

Edit the firewall rule

To configure an independent outbound VPN rule, edit the automatically created firewall rule. Alternatively, check the settings if you already have a firewall rule for VPN traffic.

  1. Go to Rules and policies > Firewall rules.

  2. Click the rule group Automatic VPN rules and click the rule you've created.

    Here's an example:

    IPsec VPN with firewall behind a router (11)

  3. Specify the following settings:

    Option Setting
    Rule name Outbound VPN traffic
    Source zones LAN
    Source networks and devices Branch_LAN
    Destination zones VPN
    Destination networks HQ_LAN
    Services Any

  4. Click Save.

    Here's an example:

    IPsec VPN with firewall behind a router (12)

Add a firewall rule

Create a rule for inbound VPN traffic if you don't already have one.

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule and select New firewall rule.

  3. Specify the following settings:

    Option Setting
    Rule name Inbound VPN traffic
    Source zones VPN
    Source networks and devices HQ_LAN
    Destination zones LAN
    Destination networks Branch_LAN
    Services Any

  4. Click Save.

    Here's an example:

    IPsec VPN with firewall behind a router (13)

Allow access to services on the head office firewall

  1. Go to Administration > Device access.
  2. Under Ping/Ping6, select VPN.
    Users can ping the firewall's IP address through the VPN to check connectivity.
  3. Click Apply.

Check the connectivity

Check the VPN connectivity between the head office and the branch office.

  • Head office firewall: Ping the branch office subnet. For example, on Windows, type the following command at the command prompt: ping 192.168.3.0
  • Branch office firewall: Ping the head office subnet. For example, on Windows, type the following command at the command prompt: ping 192.168.2.0

Check the logs

The head office firewall's logs show that it's detected a NAT device in front of it.

The branch office firewall's logs show that it's detected a NAT device in front of the head office firewall.

More resources

  • NAT traversal

I am an expert in network security and VPN (Virtual Private Network) configurations, with extensive hands-on experience in deploying and managing secure communication channels between network devices. My expertise is grounded in practical applications, ensuring a deep understanding of the intricacies involved in setting up and maintaining robust VPN connections.

Now, let's delve into the provided article regarding configuring IPsec VPN connections between firewalls behind a router using Sophos Firewall. The document outlines a comprehensive step-by-step guide for establishing a secure connection between a head office and a branch office. Here's an overview of the concepts and steps discussed:

  1. Firewall Prerequisites:

    • Configure IP hosts for the local and remote subnets.

  2. IPsec VPN Connection Configuration:

    • Create and activate an IPsec connection at the head office.
    • Set up a connection type as "Site-to-site."
    • Specify gateway types ("Respond only" for head office, "Initiate the connection" for branch office).
    • Define authentication types (Preshared key).
    • Configure listening interfaces, gateway settings, local and remote subnets.

  3. Firewall Rule Configuration:

    • Edit automatically created firewall rules for outbound VPN traffic.
    • Optionally, create independent firewall rules for outbound and inbound traffic.
    • Specify rule settings such as source zones, source networks, destination zones, destination networks, and services.

  4. Allow Access to Services:

    • Enable access to services on the head office firewall, specifically allowing VPN users to ping the firewall's IP address through the VPN.

  5. Router Configuration:

    • Configure a DNAT (Destination Network Address Translation) rule on the router to facilitate VPN traffic.
    • Define original and translated destinations along with allowed services (UDP ports 500 and 4500, IP protocol 50).

  6. Branch Office Firewall Configuration:

    • Mirror the steps for configuring IPsec connection and firewall rules at the branch office.

  7. Connectivity Checks:

    • Verify VPN connectivity by performing ping tests between the head office and branch office subnets.

  8. Logs Inspection:

    • Check firewall logs for any indications of NAT (Network Address Translation) devices detected in front of the firewalls.

  9. Additional Resources:

    • The document references NAT traversal, providing additional resources for a more in-depth understanding of network traversal in the context of NAT.

This step-by-step guide ensures a systematic approach to configuring IPsec VPN connections using Sophos Firewall, catering to both the head office and branch office configurations while maintaining security and connectivity.

IPsec VPN with firewall behind a router (2024)

FAQs

Can you put a firewall behind a router? ›

You can configure IPsec VPN connections between firewalls behind a router. In this example, the head office firewall is behind a router and doesn't have a public IP address.

Read On
Is it possible to use firewalls in implementing IPSec VPN? ›

IPsec can be used on many different devices, it's used on routers, firewalls, hosts and servers. Here are some examples how you can use it: Between two routers to create a site-to-site VPN that “bridges” two LANs together. Between a firewall and windows host for remote access VPN.

Discover More Details
Can you use VPN and firewall at the same time? ›

However, sometimes the two don't work well together. A firewall might prevent you from accessing the internet with a VPN. This would require some adjustments to your firewall's rules.

Continue Reading
Should VPN be behind firewall? ›

A firewall and a VPN can work together to enhance your security and privacy. A firewall can block unwanted or malicious traffic, while a VPN can encrypt and anonymize your traffic. A firewall can protect your device or network from hackers, while a VPN can protect your data from ISPs, governments, or third parties.

See Details
Should the firewall be placed before or after the router? ›

Usually router is the first thing you will have in your LAN, a network firewall is between the internal network and the router so that all flows in and out can be filtered. Then the switch follows.

Find Out More
Why use a firewall over a router? ›

Your security needs ? Router are suitable for basic security needs but may lack advanced threat protection features. On the other hand, Firewall provides more advanced security features like deep packet inspection, intrusion detection and prevention, VPN support, and content filtering.

Tell Me More
Why is IPSec not firewall friendly? ›

An IPSec VPN only provides protection for the traffic that is being transmitted through the VPN. It provides no protection about any other traffic that might be received.

Show Me More
Will IPSec make firewalls obsolete? ›

No, IPsec will not make firewalls obsolete. Firewalls provide a different layer of network security that complements the encryption and authentication provided by IPsec.

Explore More
Is IPSec more secure than OpenVPN? ›

Both IPSec and OpenVPN combine security and speed, with IPSec offering a slightly faster connection, while OpenVPN is considered the more secure option. IPSec wins for ease of use because it's already built into many platforms, meaning it doesn't require separate installation.

Continue Reading
Should VPN server be before or after firewall? ›

If you pass through the Firewall box first, then the firewall is behind the VPN. If you pass through the VPN server first, then the server is behind the firewall. In general, when it comes to networking, "behind" is from the point of view of the outside network looking in.

Show Me More

What do VPNs do that firewalls Cannot do? ›

The two perform different network security functions. A firewall protects your network from outside threats. VPN protects your traffic as it travels to and from your network. Firewalls detect and block malware, protecting your devices and networks from damage.

Read The Full Story
How to use firewall with VPN? ›

Example configurations
  1. In the Google Cloud console, go to the VPN tunnels page. Go to VPN tunnels.
  2. Click the VPN tunnel that you want to use.
  3. In the VPN gateway section, click the name of the VPC network. ...
  4. Click the Firewall rules tab.
  5. Click Add firewall rule. ...
  6. Click Create.

See Details
When should you not use VPN? ›

10 disadvantages of a VPN
  1. False sense of security. ...
  2. Some streaming services block VPNs. ...
  3. Some websites block VPNs. ...
  4. VPNs can slow down your internet speeds. ...
  5. VPNs use extra data. ...
  6. VPNs are illegal in some countries. ...
  7. Free VPN providers might log your data. ...
  8. Free VPNs may include malware.
Apr 8, 2024

Get More Info Here
How do I make sure my VPN isn't blocking my firewall? ›

Dealing with VPN blockers can be annoying, but we've got 10 ways to help you get around them.
  1. Choose a quality VPN provider. ...
  2. Switch VPN servers. ...
  3. Change your VPN protocol. ...
  4. Use obfuscated servers. ...
  5. Get a dedicated IP address. ...
  6. Change ports. ...
  7. Change your DNS settings. ...
  8. Send your VPN traffic through a proxy tunnel.
May 2, 2024

Continue Reading
Where should a VPN be placed? ›

Select a VPN server location that is closest to your physical location on the Recommended server location list. Use the Smart Location feature, which recommends the optimal location for you. Run the Speed Test in the ExpressVPN app for Mac or Windows. Connect to server location at the top of the results list.

View More
Where should a firewall be placed in a network? ›

Logically, a firewall is placed between the internet service provider (ISP) and the local area network (LAN) devices. As traffic passes through the firewall monitors that traffic against a set of predetermined rules and controls the access to the network.

View Details
How do I install a firewall on my home router? ›

What to Know
  1. Access the router's configuration page. Locate an entry labeled Firewall (or similar). Select Enable.
  2. Select Save and Apply. Wait while the router restarts.
  3. Add firewall rules and access control lists to meet your security needs.
Dec 8, 2021

See More
Does my router have a built-in firewall? ›

Is a router a firewall? Yes, the rumors are true: wireless routers automatically do the job of a basic hardware firewall. Firewalls are designed to repel any external internet traffic that tries to gain access to your internal network (a.k.a. the network of devices connected to your router).

Learn More
What are firewall rules in a router? ›

Firewall rules help network administrators to regulate access to networks. With firewall rules, you can determine what is allowed in and out of your network.

Discover More Details
Top Articles
Amazon Pricing Study: The Most Expensive Products, Category Volatility, and Seasonal Price Shifts
Does Formatting a Drive Erase Everything? No!
My Arkansas Copa
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Enrique Espinosa Melendez Obituary
Brady Hughes Justified
O'reilly's Auto Parts Closest To My Location
Gamevault Agent
No Limit Telegram Channel
Mountain Dew Bennington Pontoon
Canary im Test: Ein All-in-One Überwachungssystem? - HouseControllers
Devotion Showtimes Near Mjr Universal Grand Cinema 16
2024 Fantasy Baseball: Week 10 trade values chart and rest-of-season rankings for H2H and Rotisserie leagues
Wild Smile Stapleton
House Share: What we learned living with strangers
biBERK Business Insurance Provides Essential Insights on Liquor Store Risk Management and Insurance Considerations
Bubbles Hair Salon Woodbridge Va
Call Follower Osrs
Inside California's brutal underground market for puppies: Neglected dogs, deceived owners, big profits
Slag bij Plataeae tussen de Grieken en de Perzen
Cnnfn.com Markets
Eka Vore Portal
Www Craigslist Com Phx
Dallas Cowboys On Sirius Xm Radio
Craighead County Sheriff's Department
Pekin Soccer Tournament
Exl8000 Generator Battery
Teekay Vop
How to Watch Every NFL Football Game on a Streaming Service
Kentuky Fried Chicken Near Me
University Of Michigan Paging System
Bn9 Weather Radar
Danielle Moodie-Mills Net Worth
CohhCarnage - Twitch Streamer Profile & Bio - TopTwitchStreamers
101 Lewman Way Jeffersonville In
Kaliii - Area Codes Lyrics
Shoe Station Store Locator
Rubmaps H
Devargasfuneral
Miss America Voy Board
Fandango Pocatello
Tributes flow for Soundgarden singer Chris Cornell as cause of death revealed
Latest Nigerian Music (Next 2020)
Telugu Moviez Wap Org
More News, Rumors and Opinions Tuesday PM 7-9-2024 — Dinar Recaps
Wasmo Link Telegram
Saline Inmate Roster
Grand Valley State University Library Hours
Mybiglots Net Associates
antelope valley for sale "lancaster ca" - craigslist
OSF OnCall Urgent Care treats minor illnesses and injuries
Latest Posts
Amazon Sales Trends: Day of the Week Performance Analysis
Factory Reset vs. Format, Can You Tell Me the Difference?
Article information

Author: Cheryll Lueilwitz

Last Updated:

Views: 6561

Rating: 4.3 / 5 (74 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Cheryll Lueilwitz

Birthday: 1997-12-23

Address: 4653 O'Kon Hill, Lake Juanstad, AR 65469

Phone: +494124489301

Job: Marketing Representative

Hobby: Reading, Ice skating, Foraging, BASE jumping, Hiking, Skateboarding, Kayaking

Introduction: My name is Cheryll Lueilwitz, I am a sparkling, clean, super, lucky, joyous, outstanding, lucky person who loves writing and wants to share my knowledge and understanding with you.