Sophos Ipsec with Acreto

Overview

This article will help you connect your Sophos XG with Acreto Ecosystem through the IPsec tunnel.

Network Diagram

Prerequisites

  1. Sophos XG installation
  2. Ecosystem set up with proper security policies

Create Gateway for IPsec

Firstly, you will need to create a new Gateway device in the Acreto platform. Instructions on how to create a new Gateway are available here.

  1. Name: IPsec connection name must meet the same requirements as the Strongswan connection name (letters and numbers only).
  2. Category: IoT
  3. Type: IPsec
  4. Allow connection from: Empty (describes the source IP address where the IPsec connection will be permitted).
  5. Local Networks: any local network addresses that will be routed through this gateway. Wedge - New Gateway

To simplify testing, add the IP addresses of all interfaces connected to your gateway as Local Networks (you can use /32 prefix for public interface). This will allow you to test connectivity from the gateway through Acreto by using Ping, Traceroute, or similar tools.

How-To

Task 1: Read IPsec Gateway Values Required for IPsec Configuration

To proceed with the Sophos configuration, you will need a few values from an existing committed Acreto Gateway:

  1. Gateway Address
  2. Pre-Shared Key
  3. Recommended Ciphers

All of these may be found within the Gateway details panel - view the below animation for further instruction.

Animation how to get required values from Gateway [▶]

Task 2: To configure IPsec VPN on Sophos

Configure Acreto policy

  1. Log in to the Sophos Firewall panel as a user with an administrator role.

  2. From the left side navigation, choose Configure > VPN (1).

  3. Move to the IPsec policies tab (2) and click on the Add button (3) to create a new policy.

    SophosXG - ipsec - configuration

  4. Fill the creation form with the following values:

    • General Settings

      • Name: Acreto_ipsec
      • Key exchange: ikev2 SophosXG - ipsec - configuration

    • Phase1

      • Key life: 10800
      • DH group (key group): 14,16,20
      • Encryption - Authentication:
        • AES256 -SHA2 256
        • AES128 - SHA2 256
        • AES256 - SHA2 512

    SophosXG - ipsec - configuration

    • Phase2
      • PFS group (DH group): Same as phase1
      • Key life: 3600
      • Encryption - Authentication:
        • AES256 -SHA2 256
        • AES128 - SHA2 256
        • AES256 - SHA2 512

    SophosXG - ipsec - configuration

    • Dead Peer Detection
      • Dead Peer Detection: enable

    SophosXG - ipsec - configuration

  5. Click on the Save button to create the policy.

Configure IPSec VPN

  1. Goto VPN from left side navigator

  2. Select tab IPsec connections and click Add button

  3. Configure VPN with the following setting:

    • General Settings

      • Name: Acreto
      • IP version: IPv4
      • Connection type: Tunnel interface
      • Gateway type: Initiate the connection
      • Activate on Save: enable

    • Encryption

      • Policy: Acreto_ipsec
      • Authentication type: Preshared key
      • Preshared key: key (copied from Wedge)
      • Repeat preshared key: key (copied from Wedge). SophosXG - ipsec - configuration

Gateway settings

  • Local gateway

    • Listening interface: wan_ip
    • Local ID type: DNS
    • Local ID: peer_id (copied from Wedge)

  • Remote gateway

    • Gateway address: acreto_gateway (copied from Wedge)
    • Remote ID type: IP address
    • Remote ID: acreto_gateway (copied from Wedge) SophosXG - ipsec - configuration
  1. Click Save.

Upon saving, the tunnel will try to establish a connection with Acreto, and upon successful connection, the tunnel will come up. SophosXG - ipsec - configuration SophosXG - ipsec - configuration

Task 3: Configure IP on the new tunnel interface

  1. Goto Network from left side navigator

  2. Select tab Network

  3. Click the blue bar on the wan interface. It will unfold the new VPN tunnel interface formed

    SophosXG - ipsec - configuration SophosXG - ipsec - configuration

  4. Click the tunnel interface and add some random IP

    • IPv4/netmask - 2.2.2.2 /32 SophosXG - ipsec - configuration

  5. Click Save.

Task 4: Configure Routing

  1. Goto Routing from the left side navigator
  2. Select tab Static Routing
  3. Click Add button to configure the following routes

Direct route to Acreto gateway to establish the connection

  • Destination IP/Netmask : acreto_gateway_ip /32 (copied from wedge)
  • Gateway: ISP_gateway
  • Interface: wan
  • Distance: 0

SophosXG - ipsec - configuration

Default route to through the tunnel

  • Destination IP/Netamsk: 0.0.0.0 /0
  • Gateway: blank
  • Interface: tunnel_inetrface
  • Distance: 10

SophosXG - ipsec - configuration

Task 5: Configure Security Rules

  1. Goto Rules and policies from left side navigator

  2. Select tab Firewall rules and click Add firewall rule to add a new firewall rule

    SophosXG - ipsec - configuration

  3. Create the firewall rule with values as below

    • Rule name: to_acreto

    • Action: Accept

      SophosXG - ipsec - configuration

    • Source Zone: LAN

    • Source network and devices: Any

    • During Scheduled time: All the time

    • Destination zones: Any

    • Destination network: Any

    • Services: Any

      SophosXG - ipsec - configuration

Task 6: Verify the connection

Verify the connection is going through Acreto.

From any server in the internal subnet, do traceroute or mtr and verify if traffic is going through Acreto.

SophosXG - ipsec - configuration

Summary

Once the VPN connection is successfully established, all the internal traffic to the internet will be routed through Acreto.

Next page: Troubleshooting - FortiGate Cloud Management issue