Sophos Ipsec with Acreto

Overview

This article will help you connect your Sophos XG with Acreto Ecosystem through the IPsec tunnel.

Prerequisites

Sophos XG installation
Ecosystem set up with proper security policies

Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
Category: IoT
Type: IPsec
Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
Local Networks: any local network addresses that will be routed through this gateway.

Info

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Task 1: Read IPsec Gateway Values Required for IPsec Configuration

To proceed with the Sophos configuration, you will need a few values from an existing committed Acreto Gateway:

Gateway Address
Pre-Shared Key
Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Animation how to get required values from Gateway [▶]

Task 2: To configure IPsec VPN on Sophos

Configure Acreto policy

Log in to the Sophos Firewall panel as a user with an administrator role.
From the left side navigation, choose Configure > VPN (1).
Move to the IPsec policies tab (2) and click on the Add button (3) to create a new policy.
Fill the creation form with the following values:
- General Settings
  - Name: Acreto_ipsec
  - Key exchange: ikev2
- Phase1
  - Key life: 10800
  - DH group (key group): 14,16,20
  - Encryption - Authentication:
    - AES256 -SHA2 256
    - AES128 - SHA2 256
    - AES256 - SHA2 512
- Phase2
  - PFS group (DH group): Same as phase1
  - Key life: 3600
  - Encryption - Authentication:
    - AES256 -SHA2 256
    - AES128 - SHA2 256
    - AES256 - SHA2 512
- Dead Peer Detection
  - Dead Peer Detection: enable
Click on the Save button to create the policy.

Configure IPSec VPN

Goto VPN from left side navigator
Select tab IPsec connections and click Add button
Configure VPN with the following setting:
- General Settings
  - Name: Acreto
  - IP version: IPv4
  - Connection type: Tunnel interface
  - Gateway type: Initiate the connection
  - Activate on Save: enable
- Encryption
  - Policy: Acreto_ipsec
  - Authentication type: Preshared key
  - Preshared key: key (copied from Wedge)
  - Repeat preshared key: key (copied from Wedge).

Gateway settings

Local gateway
- Listening interface: wan_ip
- Local ID type: DNS
- Local ID: peer_id (copied from Wedge)
Remote gateway
- Gateway address: acreto_gateway (copied from Wedge)
- Remote ID type: IP address
- Remote ID: acreto_gateway (copied from Wedge)

Click Save.

Upon saving, the tunnel will try to establish a connection with Acreto, and upon successful connection, the tunnel will come up.

Task 3: Configure IP on the new tunnel interface

Goto Network from left side navigator
Select tab Network
Click the blue bar on the wan interface. It will unfold the new VPN tunnel interface formed
Click the tunnel interface and add some random IP
- IPv4/netmask - 2.2.2.2 /32
Click Save.

Task 4: Configure Routing

Goto Routing from the left side navigator
Select tab Static Routing
Click Add button to configure the following routes

Direct route to Acreto gateway to establish the connection

Destination IP/Netmask : acreto_gateway_ip /32 (copied from wedge)
Gateway: ISP_gateway
Interface: wan
Distance: 0

Default route to through the tunnel

Destination IP/Netamsk: 0.0.0.0 /0
Gateway: blank
Interface: tunnel_inetrface
Distance: 10

Task 5: Configure Security Rules

Goto Rules and policies from left side navigator
Select tab Firewall rules and click Add firewall rule to add a new firewall rule
Create the firewall rule with values as below
- Rule name: to_acreto
- Action: Accept
- Source Zone: LAN
- Source network and devices: Any
- During Scheduled time: All the time
- Destination zones: Any
- Destination network: Any
- Services: Any

Task 6: Verify the connection

Verify the connection is going through Acreto.

From any server in the internal subnet, do traceroute or mtr and verify if traffic is going through Acreto.

Summary

Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.