Wikisysop at 08:28, 26 August 2024

2024-08-26T08:28:10Z

← Older revision		Revision as of 08:28, 26 August 2024
Line 62:		Line 62:
	* Select connection type as “Ste-to-site”		* Select connection type as “Ste-to-site”
	* Gateway type as “Respond only” as this firewall is going to respond to all the incoming VPN connections.		* Gateway type as “Respond only” as this firewall is going to respond to all the incoming VPN connections.
	* Enable “Activate on Save” if you do not wish to enable this VPN on save. Also Create Firewall rule option can be enabled if you wish SOPHOS to create an Auto VPN firewall rule. [[File:IPsec General Settings .png\|frameless\|620x620px]]		* Enable “Activate on Save” if you do not wish to enable this VPN on save. Also Create Firewall rule option can be enabled if you wish SOPHOS to create an Auto VPN firewall rule. [[File:IPsec General Settings .png\|frameless\|620x620px]]

	Encryption:		Encryption:
Line 75:		Line 75:
	* Gateway address can be marked as “*” when IPSec destination IP address (Public IP) is unknown.		* Gateway address can be marked as “*” when IPSec destination IP address (Public IP) is unknown.
	* Local and Remote ID type can be anything among available options, but we are using “DNS” which is a domain name so that we can use a name containing Alphanumeric character string in Local and Remote ID options. [[File:SOPHOS Gateway Settings.png\|frameless\|620x620px]]		* Local and Remote ID type can be anything among available options, but we are using “DNS” which is a domain name so that we can use a name containing Alphanumeric character string in Local and Remote ID options. [[File:SOPHOS Gateway Settings.png\|frameless\|620x620px]]
	* Local and Remote Subnet should be selected if already created in System>Host and services>> IP Host option or can be created directly by clicking on “Add new item” [[File:SOPHOS Gateway Settings Step 2.png\|frameless\|620x620px]] Here we gave a name as Local_LAN and given a standard SOPHOS LAN subnet as shown in below image. [[File:Same way a remote Subnet can be configured.png\|frameless\|620x620px]] Same way a remote Subnet can be configured. In Local Subnet /24 network was configured for remote side /32 subnet can be selected in case of IPSec is created with a loopback interface on SILBO side, in case Local LAN is must then changes can be made accordingly. [[File:Local Subnet Configuration.png\|frameless\|620x620px]]		* Local and Remote Subnet should be selected if already created in System>Host and services>> IP Host option or can be created directly by clicking on “Add new item” [[File:SOPHOS Gateway Settings Step 2.png\|frameless\|620x620px]] Here we gave a name as Local_LAN and given a standard SOPHOS LAN subnet as shown in below image. [[File:Same way a remote Subnet can be configured.png\|frameless\|620x620px]] Same way a remote Subnet can be configured. In Local Subnet /24 network was configured for remote side /32 subnet can be selected in case of IPSec is created with a loopback interface on SILBO side, in case Local LAN is must then changes can be made accordingly. [[File:Local Subnet Configuration.png\|frameless\|620x620px]]
	* NAT should be kept disabled.		* NAT should be kept disabled.

Line 146:		Line 146:

	[[File:Firewall from SILBO.png\|frameless\|620x620px]]		[[File:Firewall from SILBO.png\|frameless\|620x620px]]


			[[File:Traffic Rules.png\|frameless\|620x620px]]

			How to create IPsec VPN in SOPHOS similar to exsisting VPN?

			Ans: Step 1 choose which VPN tunnel is correct and you want to create identical but a different tunnel

			[[File:How to create IPsec VPN in SOPHOS similar to existing VPN Step 1.png\|frameless\|620x620px]]

			Step2: Make changes into these sections into a new duplicate tunnel.

			[[File:Make changes into these sections into a new duplicate tunnel..png\|frameless\|610x610px]]

			'''Note:''' Use different loopback IP for each router in router/gateway in case of more routers are planned to communicate with same SOPHOS. Also make these changes “Name” it should be unique , “Local subnet”, “Local and remote Identifier” as per SOHOS configuration.

Wikisysop: Created page with "'''Prerequisite:''' * SOPHOS firewall * SILBO Router or gateway * Static Public IP on wired internet connection * SIM card with active internet Note: This document is prepared using XGS3100 (SFOS 20.0.1 MR-1-Build342) X31020MJG8C2MEF & SILBO 1.16_1.13 FW version. == SOPHOS VPN setup == 1. Creating IPSec Policy/Profile. Create a new IPSec tunnel by navigating to Configure>> Site-to-Site VPN & click on IPsec profiles. 620x620px..."

2024-08-26T07:31:04Z

Created page with "'''Prerequisite:''' * SOPHOS firewall * SILBO Router or gateway * Static Public IP on wired internet connection * SIM card with active internet Note: This document is prepared using XGS3100 (SFOS 20.0.1 MR-1-Build342) X31020MJG8C2MEF & SILBO 1.16_1.13 FW version. == SOPHOS VPN setup == 1. Creating IPSec Policy/Profile. Create a new IPSec tunnel by navigating to Configure>> Site-to-Site VPN & click on IPsec profiles. frameless|620x620px..."

New page

'''Prerequisite:'''

* SOPHOS firewall
* SILBO Router or gateway
* Static Public IP on wired internet connection
* SIM card with active internet

Note: This document is prepared using XGS3100 (SFOS 20.0.1 MR-1-Build342) X31020MJG8C2MEF &

SILBO 1.16_1.13 FW version.

== SOPHOS VPN setup ==
1. Creating IPSec Policy/Profile.

Create a new IPSec tunnel by navigating to Configure>> Site-to-Site VPN & click on IPsec profiles.

[[File:SOPHOS VPN setup.png|frameless|620x620px]]

In the SOPHOS Firewall first we should create a Policy suitable for the need of architecture. Click on Add button once IPsec Profiles option window is available to configure.

[[File:SOPHOS VPN setup 2.png|frameless|620x620px]]

Give a Name to the profile.

Select “Key Exchange” & “Authentication mode” as per need.

For unlimited key negotiation use “0” in “Key negotiation tries” option. Keep “Re-key connection” option enabled.

[[File:SOPHOS General Settings.png|frameless|620x620px]]

Key Exchange and Mode configured as IKEv1 & Main Mode.

Let us configure Phase 1 and then 2 configurations in the policy.

The Phase 1 configuration and Phase 2 configuration can be same or different.

Phase 1 configuration:

[[File:SOPhos Phase 1 Configuration.png|frameless|620x620px]]

Phase 2 configuration:

[[File:SOPhos Phase 2 Configuration.png|frameless|620x620px]]

The DPD (Dead Peer Detection) Should be disabled when SOPHO Firewall is configured as VPN server and in case it is used as client then it can be enabled.

Note: High encryption and authentication algorithm meaning less IPsec throughput and based on Internet speed on the Local and remote side the option should be selected.

Save the configuration so that this Policy can be used in IPsec VPN.

Navigate to Configure>>Site-to-Site for IPsec VPN.

* Click on Add or use Wizard to create IPSec VPN. [[File:Create IPSec VPN.png|frameless|620x620px]]

General Settings:

* Give a name to the VPN in this example we are giving “Test3” name.
* Configure it as IPv4 as this document is for IPv4 only.
* Select connection type as “Ste-to-site”
* Gateway type as “Respond only” as this firewall is going to respond to all the incoming VPN connections.
* Enable “Activate on Save” if you do not wish to enable this VPN on save. Also Create Firewall rule option can be enabled if you wish SOPHOS to create an Auto VPN firewall rule. [[File:IPsec General Settings .png|frameless|620x620px]]

Encryption:

* The profile should be correctly selected.
* The same IPsec Profile / policy “SILBOIPSEC” is selected for this IPsec VPN.
* Select the Authentication type as PSK (Preshared Key). [[File:SOPHOS Encryption.png|frameless|620x620px]]

Gateway Settings:

* The Listening IP is the Public IP or the WAN IP on which IPSec ports are forwarded from Public IP. i.e. UDP 4500 and UDP 500.
* Gateway address can be marked as “*” when IPSec destination IP address (Public IP) is unknown.
* Local and Remote ID type can be anything among available options, but we are using “DNS” which is a domain name so that we can use a name containing Alphanumeric character string in Local and Remote ID options. [[File:SOPHOS Gateway Settings.png|frameless|620x620px]]
* Local and Remote Subnet should be selected if already created in System>Host and services>> IP Host option or can be created directly by clicking on “Add new item” [[File:SOPHOS Gateway Settings Step 2.png|frameless|620x620px]] Here we gave a name as Local_LAN and given a standard SOPHOS LAN subnet as shown in below image. [[File:Same way a remote Subnet can be configured.png|frameless|620x620px]] Same way a remote Subnet can be configured. In Local Subnet /24 network was configured for remote side /32 subnet can be selected in case of IPSec is created with a loopback interface on SILBO side, in case Local LAN is must then changes can be made accordingly. [[File:Local Subnet Configuration.png|frameless|620x620px]]
* NAT should be kept disabled.

== Configuring SILBO Router/gateway: ==
Login to router using default IP 192.168.10.1 for gateways Default IP address is 192.168.9.1 and default credentials are admin/admin.

[[File:Log In.png|frameless|620x620px]]

Once login we can see the FW version.

[[File:IA44B System.png|frameless|620x620px]]

Change the IP address to required IP, in this testing we are using 192.168.11.1 IP address.

To do that Navigate to Settings>>Network from 192.168.10.1 to 192.168.11.1 and save / update.

For loopback configuration Navigate to Settings>>Network>>Loopback IP Settings and configured IP address and NetMask as shown.

Save and then Update which is must for Network section.

[[File:Loopback IP Settings.png|frameless|620x620px]]

Upon IP changed configure VPN.

Navigate to >> Settings>>VPN>> IPsec>> and do as per below images

[[File:Fortigate firewall VPN config.png|frameless|620x620px]]

And configure IPSec as per SOPHOS configuration.

[[File:IPSec as per SOPHOS .png|frameless|620x620px]]

Once all the configuration is correctly configured and clicked on save button device will show VPN configuration >> General settings.

Save and then navigate to VPN>>Ipsec setting page and click on update.

IPsec will come up after some time and it can be seen as established as shown below.

[[File:Ipsec in SILBO Router.png|frameless|620x620px]]

Also, in SOPHOS it can be seen as below.

[[File:Sophos VPN Dashboard.png|frameless|620x620px]]

To Ping server LAN, navigate to features>>Others and give LAN IP and ping.

If the ping is not working then check the firewall side settings whether the ping is allowed or not.

[[File:Others .png|frameless|620x620px]]

'''Note:''' In SOHOS The below Firewall Rules should be present if not then should be created.

Navigate to Protect>>Rules and Policies>>Firewall Rules in SOPHOS.

[[File:Firewall Rules in SOPHOS.png|frameless|620x620px]]

To create a new firewall rule click on “Add firewall rule ”.

LAN to VPN Overview.

[[File:LAN to VPN Overview.png|frameless|620x620px]]

Basically the below configuration should be added without touching other configuration options in the firewall rule.

for Both LAN to VPN and VPN to LAN.

[[File:LANtoVPN and VPNtoLAN.png|frameless|620x620px]]

The Firewall from SILBO should also should be as below.

[[File:Firewall from SILBO.png|frameless|620x620px]]

IPSec SOPHOS and SILBO - Revision history

Wikisysop at 08:28, 26 August 2024