Page permalink
Always use the following permalink when referencing this page. It will remain unchanged in future help versions.
https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=8b5c71f6-9eed-4891-9c2a-a1273b058f50
You can configure IPsec VPN connections between firewalls behind a router. In this example, the head office firewall is behind a router and doesn't have a public IP address.
You must configure the following at the head office and the branch office:
- Firewall prerequisite: Configure IP hosts for the local and remote subnets.
- Configure the IPsec VPN connection.
- Optional: Edit the automatically created firewall rule to create an independent rule for outbound traffic.
- Optional: Create a firewall rule for inbound traffic if you want independent firewall rules.
- Allow access to services.
- Configure the router settings.
- Check connectivity.
- Check the logs.
Here's an example network diagram:
Configure the head office firewall
Configure the IPsec connection and firewall rules.
Add an IPsec connection
Create and activate an IPsec connection at the head office.
- Go to VPN > IPsec connections and click Add.
- Enter a name.
- Select Activate on save.
- Select Create firewall rule.
- For Connection type, select Site-to-site.
-
For Gateway type, select Respond only.
Here's an example:
-
For Profile, select DefaultHeadOffice.
- For Authentication type, select Preshared key.
-
Enter a key and confirm it.
Here's an example:
-
For Listening interface, select the local firewall's WAN port (example:
10.10.10.2
). - For Gateway settings, enter the remote firewall's WAN port (example:
203.0.113.10
). - For Local subnet, select the IP host you've created for
192.168.2.0
. - For Remote subnet, select the IP host you've created for
192.168.3.0
. -
Click Save.
Here's an example:
Edit the firewall rule
To configure an independent outbound VPN rule, edit the automatically created firewall rule. Alternatively, check the settings if you already have a firewall rule for VPN traffic.
- Go to Rules and policies > Firewall rules.
-
Click the rule group Automatic VPN rules and click the rule you've created.
Here's an example:
-
Specify the following settings:
Option Setting Rule name Outbound VPN traffic
Source zones LAN Source networks and devices HQ_LAN
Destination zones VPN Destination networks Branch_LAN
Services Any -
Click Save.
Here's an example:
Add a firewall rule
Create a firewall rule for inbound VPN traffic if you don't have one.
- Go to Rules and policies > Firewall rules.
- Click Add firewall rule and select New firewall rule.
-
Specify the following settings:
Option Setting Rule name Inbound VPN traffic
Source zones VPN Source networks and devices Branch_LAN
Destination zones LAN Destination networks HQ_LAN
Services Any -
Click Save.
Here's an example:
Allow access to services on the head office firewall
- Go to Administration > Device access.
- Under Ping/Ping6, select VPN.
Users can ping the firewall's IP address through the VPN to check connectivity. - Click Apply.
Configure a DNAT rule on the router
Do as follows:
- Make sure you configure a DNAT rule on the router to allow the VPN traffic:
- Set the original destination to the router's WAN interface (example:
203.0.113.1
). - Set the translated destination to the local firewall's WAN interface (example:
10.10.10.2
).
- Set the original destination to the router's WAN interface (example:
- Allow the following services:
- UDP port 500
- UDP port 4500
- IP protocol 50
Configure the branch office firewall
Configure the IPsec connection and firewall rules.
Add an IPsec connection
Create and activate an IPsec connection at the branch office.
- Go to VPN > IPsec connections and click Add.
- Enter a name.
- Select Activate on save.
- Select Create firewall rule.
- For Connection type, select Site-to-site.
-
For Gateway type, select Initiate the connection.
Here's an example:
-
For Profile, select DefaultBranchOffice.
- For Authentication type, select Preshared key.
-
Enter a key and confirm it.
Here's an example:
-
For Listening interface, select the local firewall's WAN port (
203.0.113.10
). - For Gateway settings, enter the head office router's WAN port (
203.0.113.1
). - For Local subnet, select the IP host you've created for
192.168.2.0
. - For Remote subnet, select the IP host you've created for
192.168.3.0
. -
Click Save.
Edit the firewall rule
To configure an independent outbound VPN rule, edit the automatically created firewall rule. Alternatively, check the settings if you already have a firewall rule for VPN traffic.
- Go to Rules and policies > Firewall rules.
-
Click the rule group Automatic VPN rules and click the rule you've created.
Here's an example:
-
Specify the following settings:
Option Setting Rule name Outbound VPN traffic
Source zones LAN Source networks and devices Branch_LAN
Destination zones VPN Destination networks HQ_LAN
Services Any -
Click Save.
Here's an example:
Add a firewall rule
Create a rule for inbound VPN traffic if you don't already have one.
- Go to Rules and policies > Firewall rules.
- Click Add firewall rule and select New firewall rule.
-
Specify the following settings:
Option Setting Rule name Inbound VPN traffic
Source zones VPN Source networks and devices HQ_LAN
Destination zones LAN Destination networks Branch_LAN
Services Any -
Click Save.
Here's an example:
Allow access to services on the head office firewall
- Go to Administration > Device access.
- Under Ping/Ping6, select VPN.
Users can ping the firewall's IP address through the VPN to check connectivity. - Click Apply.
Check the connectivity
Check the VPN connectivity between the head office and the branch office.
- Head office firewall: Ping the branch office subnet. For example, on Windows, type the following command at the command prompt:
ping 192.168.3.0
- Branch office firewall: Ping the head office subnet. For example, on Windows, type the following command at the command prompt:
ping 192.168.2.0
Check the logs
The head office firewall's logs show that it's detected a NAT device in front of it.
The branch office firewall's logs show that it's detected a NAT device in front of the head office firewall.
More resources
- NAT traversal
I am an expert in network security and VPN (Virtual Private Network) configurations, with extensive hands-on experience in deploying and managing secure communication channels between network devices. My expertise is grounded in practical applications, ensuring a deep understanding of the intricacies involved in setting up and maintaining robust VPN connections.
Now, let's delve into the provided article regarding configuring IPsec VPN connections between firewalls behind a router using Sophos Firewall. The document outlines a comprehensive step-by-step guide for establishing a secure connection between a head office and a branch office. Here's an overview of the concepts and steps discussed:
-
Firewall Prerequisites:
- Configure IP hosts for the local and remote subnets.
-
IPsec VPN Connection Configuration:
- Create and activate an IPsec connection at the head office.
- Set up a connection type as "Site-to-site."
- Specify gateway types ("Respond only" for head office, "Initiate the connection" for branch office).
- Define authentication types (Preshared key).
- Configure listening interfaces, gateway settings, local and remote subnets.
-
Firewall Rule Configuration:
- Edit automatically created firewall rules for outbound VPN traffic.
- Optionally, create independent firewall rules for outbound and inbound traffic.
- Specify rule settings such as source zones, source networks, destination zones, destination networks, and services.
-
Allow Access to Services:
- Enable access to services on the head office firewall, specifically allowing VPN users to ping the firewall's IP address through the VPN.
-
Router Configuration:
- Configure a DNAT (Destination Network Address Translation) rule on the router to facilitate VPN traffic.
- Define original and translated destinations along with allowed services (UDP ports 500 and 4500, IP protocol 50).
-
Branch Office Firewall Configuration:
- Mirror the steps for configuring IPsec connection and firewall rules at the branch office.
-
Connectivity Checks:
- Verify VPN connectivity by performing ping tests between the head office and branch office subnets.
-
Logs Inspection:
- Check firewall logs for any indications of NAT (Network Address Translation) devices detected in front of the firewalls.
-
Additional Resources:
- The document references NAT traversal, providing additional resources for a more in-depth understanding of network traversal in the context of NAT.
This step-by-step guide ensures a systematic approach to configuring IPsec VPN connections using Sophos Firewall, catering to both the head office and branch office configurations while maintaining security and connectivity.