• Kiếm tiền với Hostinger

    Kiếm Tiền Cùng Hostinger

    Bạn đang tìm kiếm cách kiếm thêm thu nhập online? Hãy tham gia ngay chương trình Affiliate của Hostinger! Với mỗi khách hàng đăng ký thông qua liên kết của bạn, bạn sẽ nhận được khoản hoa hồng hấp dẫn.

    Hostinger cung cấp các dịch vụ lưu trữ web (hosting) chất lượng cao với mức giá cạnh tranh, giúp bạn dễ dàng giới thiệu và thu hút người dùng.

    Đừng bỏ lỡ cơ hội tuyệt vời này để tăng thêm thu nhập thụ động.

    Tham Gia Ngay

Configure Site-to-Site IPSec VPN setup between Sophos XG Firewall and Palo Alto using DDNS

TigerDao

Administrator
Thành viên BQT
I/ Overview:
– This tutorial shows how to configure IPsec VPN Site-to-Site connection between Sophos XG and Palo Alto Firewalls using DDNS.

II/ Requirements:
– You need to create a DDNS account. In this tutorial we will account for the No-IP provider’s DDNS account with the hostname: vacifcoltd.ddns.net for Palo Alto Firewall.

III/ Deployment model:


(IMG)

IV/ Configuration instructions:
4.1| Configuration on Sophos:

4.1.1/ Policy configuration:
– Go to the page VPN > IPSec Policies > click Add.

– Enter VPN policy name: Name

  • Select Key exchange To be IKEv2 and Authentication Mode To be Main Mode.
  • Import Key Negotiation Tries To be “0.
  • Tick the box Re-key connection.
(IMG)
– Below tab Phase 1 Additional configuration:

  • Key Life: 28800
  • Re-key Margin: 360
  • Randomize Re-Keying Margin: 50.
  • DH Group (Key Group): 2 (DH1024).
  • Encryption: AES256
  • Authentication: SHA2 512.



(IMG)
– Tab configuration Phase 2:

  • PFS Group (DH Group): None.
  • Key Life: 3600.
  • Encryption: AES256.
  • Authentication: SHA2 512.



(IMG)


– Internal configuration Dead Peer Detection:

  • Check Peer After Every: 30 seconds
  • Wait for Response Up: 120 seconds.
  • When Peer Unreachable: Re-initiate.



(IMG)


– Click Save to save.
4.1.2/ Configure IPsec components:
– Go to the page Configure > VPN > IPsec Connections > click Add

– Configure the information in the tab General Settings:

  • Name: IPsec connection line name.
  • IP Version: select IPv4.
  • Connection Type: select Site-to-Site
  • Gateway Type: select Initiate the Connection.
  • Tick select Create Firewall rule: Let the firewall automatically create rules to allow VPN traffic to pass through.



(IMG)


– In tabs Encryptionparameter settings:

  • Policy: Select the Policy created in step 4.1|.
  • Authentication Type: select Preshared Key.
  • Enter the key into 2 boxes: Preshared Key & Repeat preshared key.



(IMG)


– In tabs Gateway settingsconfiguration:
– Item Local gateway:

  • Listening interface: select the listening port for VPN connection requests
  • Local Subnet: add an internal network layer (eg: LAN_SPXG).

– Item Remote gateway:

  • Gateway Address: Enter the created ddns hostname vacifcoltd.ddns.net.
  • Remote Subnet: add a network layer at the far end (Palo Alto site).
  • Click Save.



(IMG)


4.2| Configuration on Palo Alto Firewall:


– On the Palo Alto GUI interface, enter the path: Network Profiles > IKE Crypto > Enter a name for the profile (e.g. PA_P1). In tab IKE Crypto Profile Configure parameters:

  • DH Group > click Add > create new group (eg: group 2).
  • Encryption: aes-256-cbc.
  • Authentication: sha512.
  • Timer > Key Lifetime: 28800 second. second.
  • IKEv2 Authentication Multiple: 0

– Click OK
(IMG)




– Go back to the page Network > IPsec Crypto > and create more profiles.​

  • Enter profile name: Name.
  • IPSec Protocol: ESP.
  • DH Group: no-pfs.
  • Encryption: aes-256-cbc.
  • Authentication: sha512.
  • Lifetime: select Seconds and enter 3600.

– Click OK.
(IMG)


– Create more Authentication Certificates, go to the page Device tab > Certificate Management > Certificates > Generate.

  • Certificate Type: select Local.
  • Certificate Name: enter the name of the CA.
  • Common Name: enter hostname ddns vacifcoltd.ddns.net.
  • Tick select Certificate Authority.
  • Select additional information: Algorithm, Number of bits, Digest.
  • Certificate Attributes:
    • Click Addselect Host Name and enter vacifcoltd.ddns.net
    • Click Generate.





(IMG)


– Create IKE Gatewayto add profile PA_P1enter the path Network > IKE Gateway > General and create a new Gateway.

  • Name: Enter the gateway name.
  • Version: select IKEv2 only mode.
  • Address Type: select IPv4.
  • Interface: ethernet1/1.
  • Local IP Address: None.
  • Peer IP Type: Static.
  • Peer IP Address: 115.100.230.50.
  • Authentication: Pre-Shared Key and enter the Pre-Shared Key twice.
  • Local Identification: select FQDN (hostname) and enter the ddns address vacifcoltd.ddns.net.
  • Click OK.



(IMG)


– Go to the path Network > IKE Gateway > Advanced Options.

  • In section Common Optionsselect Enable Passive Mode.
  • In section IKEv2, select IKE Crypto Profile To be PA_P1 previously created.
  • Liveness Check > Interval > set parameter as “5“.
  • Click OK.



(IMG)


– Create Tunnel Interface: go to page Network > Interface > Tunnel > click Add.
  • Enter InterfaIn name: Name.
  • Select Virtual Router has been created.
  • Security Zone: Select internal Zone Lay 3.
  • Click OK.


(IMG)


– Go to the link: Interfaces > Ethernet > Ethernet 1/1 > Advanced > DDNS.

  • Click Settings and Enable.
  • Hostname: vacifcoltd.ddns.net
  • Vendor: select No-IP
  • Username and Password: Enter the account and password you registered with DDNS No-ip.
  • Certificate Profiles: select New Certificate Profiles
  • Enter the name as VPN_Cer > click Add > CA Certificate select CA_VPN. Click Ok.



(IMG)

(IMG)


– Next come in IPSec Tunnel > click Add.

  • Name: enter the name of this Tunnel.
  • Tunnel Interface: select tunnel.
  • IKE Gateway: select PAcreated in the step above.
  • IPSec Crypto Profiles: select PA_P2.
  • Click Ok.



(IMG)


– To activate VPN connection: select tunelpaclick Enable > click Yes.


(IMG)




– Additional configuration Firewall Rules to allow VPN traffic to pass through.
– Create Local Subnet and Remote Subnet. Go to the page Object > Address. Click Add.​

  • Create Local Subnet:



(IMG)
  • Create Remote Subnet:


(IMG)


– Go to the page Policies > Security > Add. Create 2 policies as follows:

  • LAN-VPN: Source (select Local) – Destination (select Remote)
  • VPN-LAN: Source (select Remote) – Destination (select Local)



(IMG)

!!!Finally: You must click Commit to save and apply all the configurations.

– Then come back Sophos XG:

  • Enter the path Configure > VPN > IPsec Connections.
  • Under Status, click Active and Connection to activate and create a VPN connection.



V/ Results:
Successfully setup IPSec VPN Site to Site between Sophos XG Firewall and Palo Alto using DDNS.


(IMG)

(IMG)

Xem tiếp...
 
Top