I/ Overview:
– This tutorial shows how to configure IPsec VPN Site-to-Site connection between Sophos XG and Palo Alto Firewalls using DDNS.
II/ Requirements:
– You need to create a DDNS account. In this tutorial we will account for the No-IP provider’s DDNS account with the hostname: vacifcoltd.ddns.net for Palo Alto Firewall.
III/ Deployment model:
IV/ Configuration instructions:
4.1| Configuration on Sophos:
4.1.1/ Policy configuration:
– Go to the page VPN > IPSec Policies > click Add.
– Enter VPN policy name: Name
- Select Key exchange To be IKEv2 and Authentication Mode To be Main Mode.
- Import Key Negotiation Tries To be “0“.
- Tick the box Re-key connection.
– Below tab Phase 1 Additional configuration:
- Key Life: 28800
- Re-key Margin: 360
- Randomize Re-Keying Margin: 50.
- DH Group (Key Group): 2 (DH1024).
- Encryption: AES256
- Authentication: SHA2 512.
– Tab configuration Phase 2:
- PFS Group (DH Group): None.
- Key Life: 3600.
- Encryption: AES256.
- Authentication: SHA2 512.
– Internal configuration Dead Peer Detection:
- Check Peer After Every: 30 seconds
- Wait for Response Up: 120 seconds.
- When Peer Unreachable: Re-initiate.
– Click Save to save.
4.1.2/ Configure IPsec components:
– Go to the page Configure > VPN > IPsec Connections > click Add
– Configure the information in the tab General Settings:
4.1.2/ Configure IPsec components:
– Go to the page Configure > VPN > IPsec Connections > click Add
– Configure the information in the tab General Settings:
- Name: IPsec connection line name.
- IP Version: select IPv4.
- Connection Type: select Site-to-Site
- Gateway Type: select Initiate the Connection.
- Tick select Create Firewall rule: Let the firewall automatically create rules to allow VPN traffic to pass through.
– In tabs Encryptionparameter settings:
- Policy: Select the Policy created in step 4.1|.
- Authentication Type: select Preshared Key.
- Enter the key into 2 boxes: Preshared Key & Repeat preshared key.
– In tabs Gateway settingsconfiguration:
– Item Local gateway:
– Item Local gateway:
- Listening interface: select the listening port for VPN connection requests
- Local Subnet: add an internal network layer (eg: LAN_SPXG).
– Item Remote gateway:
- Gateway Address: Enter the created ddns hostname vacifcoltd.ddns.net.
- Remote Subnet: add a network layer at the far end (Palo Alto site).
- Click Save.
4.2| Configuration on Palo Alto Firewall:
– On the Palo Alto GUI interface, enter the path: Network Profiles > IKE Crypto > Enter a name for the profile (e.g. PA_P1). In tab IKE Crypto Profile Configure parameters:
- DH Group > click Add > create new group (eg: group 2).
- Encryption: aes-256-cbc.
- Authentication: sha512.
- Timer > Key Lifetime: 28800 second. second.
- IKEv2 Authentication Multiple: 0
– Click OK
– Go back to the page Network > IPsec Crypto > and create more profiles.
- Enter profile name: Name.
- IPSec Protocol: ESP.
- DH Group: no-pfs.
- Encryption: aes-256-cbc.
- Authentication: sha512.
- Lifetime: select Seconds and enter 3600.
– Click OK.
– Create more Authentication Certificates, go to the page Device tab > Certificate Management > Certificates > Generate.
- Certificate Type: select Local.
- Certificate Name: enter the name of the CA.
- Common Name: enter hostname ddns vacifcoltd.ddns.net.
- Tick select Certificate Authority.
- Select additional information: Algorithm, Number of bits, Digest.
- Certificate Attributes:
- Click Addselect Host Name and enter vacifcoltd.ddns.net
- Click Generate.
– Create IKE Gatewayto add profile PA_P1enter the path Network > IKE Gateway > General and create a new Gateway.
- Name: Enter the gateway name.
- Version: select IKEv2 only mode.
- Address Type: select IPv4.
- Interface: ethernet1/1.
- Local IP Address: None.
- Peer IP Type: Static.
- Peer IP Address: 115.100.230.50.
- Authentication: Pre-Shared Key and enter the Pre-Shared Key twice.
- Local Identification: select FQDN (hostname) and enter the ddns address vacifcoltd.ddns.net.
- Click OK.
– Go to the path Network > IKE Gateway > Advanced Options.
- In section Common Optionsselect Enable Passive Mode.
- In section IKEv2, select IKE Crypto Profile To be PA_P1 previously created.
- Liveness Check > Interval > set parameter as “5“.
- Click OK.
– Create Tunnel Interface: go to page Network > Interface > Tunnel > click Add.
- Enter InterfaIn name: Name.
- Select Virtual Router has been created.
- Security Zone: Select internal Zone Lay 3.
- Click OK.
– Go to the link: Interfaces > Ethernet > Ethernet 1/1 > Advanced > DDNS.
- Click Settings and Enable.
- Hostname: vacifcoltd.ddns.net
- Vendor: select No-IP
- Username and Password: Enter the account and password you registered with DDNS No-ip.
- Certificate Profiles: select New Certificate Profiles
- Enter the name as VPN_Cer > click Add > CA Certificate select CA_VPN. Click Ok.
– Next come in IPSec Tunnel > click Add.
- Name: enter the name of this Tunnel.
- Tunnel Interface: select tunnel.
- IKE Gateway: select PAcreated in the step above.
- IPSec Crypto Profiles: select PA_P2.
- Click Ok.
– To activate VPN connection: select tunelpaclick Enable > click Yes.
– Additional configuration Firewall Rules to allow VPN traffic to pass through.
– Create Local Subnet and Remote Subnet. Go to the page Object > Address. Click Add.
- Create Local Subnet:
- Create Remote Subnet:
– Go to the page Policies > Security > Add. Create 2 policies as follows:
- LAN-VPN: Source (select Local) – Destination (select Remote)
- VPN-LAN: Source (select Remote) – Destination (select Local)
!!!Finally: You must click Commit to save and apply all the configurations.
– Then come back Sophos XG:
- Enter the path Configure > VPN > IPsec Connections.
- Under Status, click Active and Connection to activate and create a VPN connection.
V/ Results:
– Successfully setup IPSec VPN Site to Site between Sophos XG Firewall and Palo Alto using DDNS.
Xem tiếp...