Go to Firewall and verify that VPN rules allow ingress and egress traffic. Go to Reports VPN and verify the IPsec usage. Click on the connection name for details. Note: Make sure that VPN firewall rules are on the top of the Firewall Rule list. In a head and branch office configuration, the Sophos Firewall on the branch office usually acts as the tunnel initiator and the Sophos Firewall on. Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key; Previous article ID: 127731. Did this article provide the information you were looking for? Every comment submitted here is read (by a human) but we do not reply to specific technical questions.
Overview
This article describes how to configure IPSec VPN Client to Site so that remote VPN users can access the enterprise File Server system remotely. Configuration is done on Sophos XG firewall device with firmware version 18
** When configuring SSL VPN, to install the application, you must get the installation source from the User Portal. As for IPSec VPN configuration, to install the application, you must use the installation file downloaded from the Admin account, and the Admin will share that installation file for the VPN user to install
Diagram
Summary of configuration steps
- Configure IPSec VPN Client to Site profile on Sophos XG
- Create IPSec VPN group
- Create IPSec VPN user
- Configure profile for IPSec VPN Client
- Download and install IPSec VPN Client
- Import configuration file to IPSec VPN Client
- Create firewall rule to allow communicate between IPSec VPN and LAN
- Configure NAT Port on Modem or Router
- Configure File Server
- Results
Configuration details
- Configure IPSec VPN Client to Site profile on Sophos XG
Login to Sophos XG by Admin account
1.1 Create IPSec VPN group
** Configuring group creation for IPSec VPN, it’s making easy for administrators to manage and user groups to apply policies according to the needs of the business
- Authentication -> Choose Group -> Click Add
- Create IPSec VPN group
- Group Name: Enter name for IPSec VPN group
- Surfing Quota: Select the network traffic you want
- Access Time: Select the access time you want
-> Click Save
Sophos Xg Ikev2 Free
1.2 Create IPSec VPN users
- Authentication -> Choose User -> Click Add
- Create IPSec VPN users
- Username: Enter name for VPN user
- Password: Enter password for IPSec VPN user
- Email: Enter manager’s email
- Group: Choose IPSec VPN group which was created before
-> Click Save
1.3 Configure profile for IPSec VPN Client Hspadatacard network & wireless cards driver download for windows.
- VPN -> Choose Sophos Connect client
- In General settings
- Choose Enable
- In Interface: Choose WAN Port on Sophos XG
- In Authentication type: Choose Preshared key
- In Preshared key: Enter your preshared key
- In Allowed user: Choose IPSec VPN user which was created before
- In Client information
- In Name: Enter connection name
- In Assign IP from: Enter IP range provided for IPSec VPN Client
- In DNS server 1: Enter your DNS
- In DNS server 2: Enter your DNS
-> Click Apply -> Click Download to download IPSec VPN installation software -> Click Export connect to download configuration file
1.4 Download and install IPSec VPN Client
- Extract the installation application file
- Install SophosConnect.msi
- Install scadmin.msi
- Open Sophos Connect Admin -> Click Open to get profile which downloaded before
- You can adjust Target Host to IP WAN of Router or Modem
-> Click Save to save profile
** Saved the file with the .scx extension
1.5 Import configuration file to IPSec VPN Client
- Open Sophos Connect -> Click Import connection -> Choose .scx file
1.6 Create firewall rule to allow communicate between IPSec VPN and LAN
- Rules and Policies -> Click Add Firewall Rule
- Enter name
- In Source zones: Choose VPN
- In Source networks and devices: Choose Any
- In Destination zones: Choose LAN
- In Destination networks: Choose LAN network (Local subnet)
- Choose Match known users
- In Users and groups: Choose IPSec VPN group which was created before
-> Click Save
2. Configure NAT Port on Modem or Router
- We will Nat 2 port is 500 UDP and 4500 UDP
3. Configure File Server
- File sharing on File Server, share files folder for all users as well as VPN users to have access to read and write files
4. Results
- Make connection IPSec VPN Client to Site by opening the application installed on your computer
- Check IP address of IPSec VPN Client
- You access to File Server with File Server’s IP address is 172.16.16.19
- You type in address bar: 172.16.16.19
-> Done
YOU MAY ALSO INTEREST
A VPN device is required to configure a Site-to-Site (S2S) cross-premises VPN connection using a VPN gateway. Site-to-Site connections can be used to create a hybrid solution, or whenever you want secure connections between your on-premises networks and your virtual networks. This article provides a list of validated VPN devices and a list of IPsec/IKE parameters for VPN gateways.
Important
If you are experiencing connectivity issues between your on-premises VPN devices and VPN gateways, refer to Known device compatibility issues.
Items to note when viewing the tables:
- There has been a terminology change for Azure VPN gateways. Only the names have changed. There is no functionality change.
- Static Routing = PolicyBased
- Dynamic Routing = RouteBased
- Specifications for HighPerformance VPN gateway and RouteBased VPN gateway are the same, unless otherwise noted. For example, the validated VPN devices that are compatible with RouteBased VPN gateways are also compatible with the HighPerformance VPN gateway.
Validated VPN devices and device configuration guides
In partnership with device vendors, we have validated a set of standard VPN devices. All of the devices in the device families in the following list should work with VPN gateways. See About VPN Gateway Settings to understand the VPN type use (PolicyBased or RouteBased) for the VPN Gateway solution you want to configure.
To help configure your VPN device, refer to the links that correspond to the appropriate device family. The links to configuration instructions are provided on a best-effort basis. For VPN device support, contact your device manufacturer.
| Vendor | Device family | Minimum OS version | PolicyBased configuration instructions | RouteBased configuration instructions |
|---|---|---|---|---|
| A10 Networks, Inc. | Thunder CFW | ACOS 4.1.1 | Not compatible | Configuration guide |
| Allied Telesis | AR Series VPN Routers | AR-Series 5.4.7+ | Configuration guide | Configuration guide |
| Arista | CloudEOS Router | vEOS 4.24.0FX | (not tested) | Configuration guide |
| Barracuda Networks, Inc. | Barracuda CloudGen Firewall | PolicyBased: 5.4.3 RouteBased: 6.2.0 | Configuration guide | Configuration guide |
| Check Point | Security Gateway | R80.10 | Configuration guide | Configuration guide |
| Cisco | ASA | 8.3 8.4+ (IKEv2*) | Supported | Configuration guide* |
| Cisco | ASR | PolicyBased: IOS 15.1 RouteBased: IOS 15.2 | Supported | Supported |
| Cisco | CSR | RouteBased: IOS-XE 16.10 | (not tested) | Configuration script |
| Cisco | ISR | PolicyBased: IOS 15.0 RouteBased*: IOS 15.1 | Supported | Supported |
| Cisco | Meraki (MX) | MX v15.12 | Not compatible | Configuration guide |
| Cisco | vEdge (Viptela OS) | 18.4.0 (Active/Passive Mode) 19.2 (Active/Active Mode) | Not compatible | Manual configuration (Active/Passive) Cloud Onramp configuration (Active/Active) |
| Citrix | NetScaler MPX, SDX, VPX | 10.1 and above | Configuration guide | Not compatible |
| F5 | BIG-IP series | 12.0 | Configuration guide | Configuration guide |
| Fortinet | FortiGate | FortiOS 5.6 | (not tested) | Configuration guide |
| Hillstone Networks | Next-Gen Firewalls (NGFW) | 5.5R7 | (not tested) | Configuration guide |
| Internet Initiative Japan (IIJ) | SEIL Series | SEIL/X 4.60 SEIL/B1 4.60 SEIL/x86 3.20 | Configuration guide | Not compatible |
| Juniper | SRX | PolicyBased: JunOS 10.2 Routebased: JunOS 11.4 | Supported | Configuration script |
| Juniper | J-Series | PolicyBased: JunOS 10.4r9 RouteBased: JunOS 11.4 | Supported | Configuration script |
| Juniper | ISG | ScreenOS 6.3 | Supported | Configuration script |
| Juniper | SSG | ScreenOS 6.2 | Supported | Configuration script |
| Juniper | MX | JunOS 12.x | Supported | Configuration script |
| Microsoft | Routing and Remote Access Service | Windows Server 2012 | Not compatible | Supported |
| Open Systems AG | Mission Control Security Gateway | N/A | Configuration guide | Not compatible |
| Palo Alto Networks | All devices running PAN-OS | PAN-OS PolicyBased: 6.1.5 or later RouteBased: 7.1.4 | Supported | Configuration guide |
| Sentrium (Developer) | VyOS | VyOS 1.2.2 | (not tested) | Configuration guide |
| ShareTech | Next Generation UTM (NU series) | 9.0.1.3 | Not compatible | Configuration guide |
| SonicWall | TZ Series, NSA Series SuperMassive Series E-Class NSA Series | SonicOS 5.8.x SonicOS 5.9.x SonicOS 6.x | Not compatible | Configuration guide |
| Sophos | XG Next Gen Firewall | XG v17 | (not tested) | Configuration guide Configuration guide - Multiple SAs |
| Synology | MR2200ac RT2600ac RT1900ac | SRM1.1.5/VpnPlusServer-1.2.0 | (not tested) | Configuration guide |
| Ubiquiti | EdgeRouter | EdgeOS v1.10 | (not tested) | BGP over IKEv2/IPsec VTI over IKEv2/IPsec |
| Ultra | 3E-636L3 | 5.2.0.T3 Build-13 | (not tested) | Configuration guide |
| WatchGuard | All | Fireware XTM PolicyBased: v11.11.x RouteBased: v11.12.x | Configuration guide | Configuration guide |
| Zyxel | ZyWALL USG series ZyWALL ATP series ZyWALL VPN series | ZLD v4.32+ | (not tested) | VTI over IKEv2/IPsec BGP over IKEv2/IPsec |
Note
(*) Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with 'UsePolicyBasedTrafficSelectors' option. Refer to this how-to article.
(**) ISR 7200 Series routers only support PolicyBased VPNs.
Download VPN device configuration scripts from Azure
For certain devices, you can download configuration scripts directly from Azure. For more information and download instructions, see Download VPN device configuration scripts.
Devices with available configuration scripts
| Vendor | Device family | Firmware version |
|---|---|---|
| Cisco | ISR | IOS 15.1 (Preview) |
| Cisco | ASA | ASA ( * ) RouteBased (IKEv2- No BGP) for ASA below 9.8 |
| Cisco | ASA | ASA RouteBased (IKEv2 - No BGP) for ASA 9.8+ |
| Juniper | SRX_GA | 12.x |
| Juniper | SSG_GA | ScreenOS 6.2.x |
| Juniper | JSeries_GA | JunOS 12.x |
| Juniper | SRX | JunOS 12.x RouteBased BGP |
| Ubiquiti | EdgeRouter | EdgeOS v1.10x RouteBased VTI |
| Ubiquiti | EdgeRouter | EdgeOS v1.10x RouteBased BGP |
Note
( * ) Required: NarrowAzureTrafficSelectors (enable UsePolicyBasedTrafficSelectors option) and CustomAzurePolicies (IKE/IPsec)
Non-validated VPN devices
If you don’t see your device listed in the Validated VPN devices table, your device still may work with a Site-to-Site connection. Contact your device manufacturer for additional support and configuration instructions.
Editing device configuration samples
After you download the provided VPN device configuration sample, you’ll need to replace some of the values to reflect the settings for your environment.
To edit a sample:
- Open the sample using Notepad.
- Search and replace all <text> strings with the values that pertain to your environment. Be sure to include < and >. When a name is specified, the name you select should be unique. If a command does not work, consult your device manufacturer documentation.
| Sample text | Change to |
|---|---|
| <RP_OnPremisesNetwork> | Your chosen name for this object. Example: myOnPremisesNetwork |
| <RP_AzureNetwork> | Your chosen name for this object. Example: myAzureNetwork |
| <RP_AccessList> | Your chosen name for this object. Example: myAzureAccessList |
| <RP_IPSecTransformSet> | Your chosen name for this object. Example: myIPSecTransformSet |
| <RP_IPSecCryptoMap> | Your chosen name for this object. Example: myIPSecCryptoMap |
| <SP_AzureNetworkIpRange> | Specify range. Example: 192.168.0.0 |
| <SP_AzureNetworkSubnetMask> | Specify subnet mask. Example: 255.255.0.0 |
| <SP_OnPremisesNetworkIpRange> | Specify on-premises range. Example: 10.2.1.0 |
| <SP_OnPremisesNetworkSubnetMask> | Specify on-premises subnet mask. Example: 255.255.255.0 |
| <SP_AzureGatewayIpAddress> | This information specific to your virtual network and is located in the Management Portal as Gateway IP address. |
| <SP_PresharedKey> | This information is specific to your virtual network and is located in the Management Portal as Manage Key. |
Default IPsec/IKE parameters
The tables below contain the combinations of algorithms and parameters Azure VPN gateways use in default configuration (Default policies). For route-based VPN gateways created using the Azure Resource Management deployment model, you can specify a custom policy on each individual connection. Please refer to Configure IPsec/IKE policy for detailed instructions.
Additionally, you must clamp TCP MSS at 1350. Or if your VPN devices do not support MSS clamping, you can alternatively set the MTU on the tunnel interface to 1400 bytes instead.
In the following tables:
- SA = Security Association
- IKE Phase 1 is also called 'Main Mode'
- IKE Phase 2 is also called 'Quick Mode'
IKE Phase 1 (Main Mode) parameters
Sophos Xg Ikev2
| Property | PolicyBased | RouteBased |
|---|---|---|
| IKE Version | IKEv1 | IKEv1 and IKEv2 |
| Diffie-Hellman Group | Group 2 (1024 bit) | Group 2 (1024 bit) |
| Authentication Method | Pre-Shared Key | Pre-Shared Key |
| Encryption & Hashing Algorithms | 1. AES256, SHA256 2. AES256, SHA1 3. AES128, SHA1 4. 3DES, SHA1 | 1. AES256, SHA1 2. AES256, SHA256 3. AES128, SHA1 4. AES128, SHA256 5. 3DES, SHA1 6. 3DES, SHA256 |
| SA Lifetime | 28,800 seconds | 28,800 seconds |
IKE Phase 2 (Quick Mode) parameters
| Property | PolicyBased | RouteBased |
|---|---|---|
| IKE Version | IKEv1 | IKEv1 and IKEv2 |
| Encryption & Hashing Algorithms | 1. AES256, SHA256 2. AES256, SHA1 3. AES128, SHA1 4. 3DES, SHA1 | RouteBased QM SA Offers |
| SA Lifetime (Time) | 3,600 seconds | 27,000 seconds |
| SA Lifetime (Bytes) | 102,400,000 KB | 102,400,000 KB |
| Perfect Forward Secrecy (PFS) | No | RouteBased QM SA Offers |
| Dead Peer Detection (DPD) | Not supported | Supported |
RouteBased VPN IPsec Security Association (IKE Quick Mode SA) Offers
The following table lists IPsec SA (IKE Quick Mode) Offers. Offers are listed the order of preference that the offer is presented or accepted. Drivers dv manufacturer cameras.
Azure Gateway as initiator
| - | Encryption | Authentication | PFS Group |
|---|---|---|---|
| 1 | GCM AES256 | GCM (AES256) | None |
| 2 | AES256 | SHA1 | None |
| 3 | 3DES | SHA1 | None |
| 4 | AES256 | SHA256 | None |
| 5 | AES128 | SHA1 | None |
| 6 | 3DES | SHA256 | None |
Azure Gateway as responder
| - | Encryption | Authentication | PFS Group |
|---|---|---|---|
| 1 | GCM AES256 | GCM (AES256) | None |
| 2 | AES256 | SHA1 | None |
| 3 | 3DES | SHA1 | None |
| 4 | AES256 | SHA256 | None |
| 5 | AES128 | SHA1 | None |
| 6 | 3DES | SHA256 | None |
| 7 | DES | SHA1 | None |
| 8 | AES256 | SHA1 | 1 |
| 9 | AES256 | SHA1 | 2 |
| 10 | AES256 | SHA1 | 14 |
| 11 | AES128 | SHA1 | 1 |
| 12 | AES128 | SHA1 | 2 |
| 13 | AES128 | SHA1 | 14 |
| 14 | 3DES | SHA1 | 1 |
| 15 | 3DES | SHA1 | 2 |
| 16 | 3DES | SHA256 | 2 |
| 17 | AES256 | SHA256 | 1 |
| 18 | AES256 | SHA256 | 2 |
| 19 | AES256 | SHA256 | 14 |
| 20 | AES256 | SHA1 | 24 |
| 21 | AES256 | SHA256 | 24 |
| 22 | AES128 | SHA256 | None |
| 23 | AES128 | SHA256 | 1 |
| 24 | AES128 | SHA256 | 2 |
| 25 | AES128 | SHA256 | 14 |
| 26 | 3DES | SHA1 | 14 |
- You can specify IPsec ESP NULL encryption with RouteBased and HighPerformance VPN gateways. Null based encryption does not provide protection to data in transit, and should only be used when maximum throughput and minimum latency is required. Clients may choose to use this in VNet-to-VNet communication scenarios, or when encryption is being applied elsewhere in the solution.
- For cross-premises connectivity through the Internet, use the default Azure VPN gateway settings with encryption and hashing algorithms listed in the tables above to ensure security of your critical communication.
Known device compatibility issues
Important
These are the known compatibility issues between third-party VPN devices and Azure VPN gateways. The Azure team is actively working with the vendors to address the issues listed here. Once the issues are resolved, this page will be updated with the most up-to-date information. Please check back periodically.
Feb. 16, 2017
Palo Alto Networks devices with version prior to 7.1.4 for Azure route-based VPN: If you are using VPN devices from Palo Alto Networks with PAN-OS version prior to 7.1.4 and are experiencing connectivity issues to Azure route-based VPN gateways, perform the following steps: Jonathan lemire msnbc.
- Check the firmware version of your Palo Alto Networks device. If your PAN-OS version is older than 7.1.4, upgrade to 7.1.4.
- On the Palo Alto Networks device, change the Phase 2 SA (or Quick Mode SA) lifetime to 28,800 seconds (8 hours) when connecting to the Azure VPN gateway.
- If you are still experiencing connectivity issues, open a support request from the Azure portal.