Sophos XG Firewall (v18): Route Based VPN

In v18 We have added the routed VPN method to the architecture of the IPSec VPN function A routed VPN will build a virtual channel boundary( VTI) that logically portrays the VPN channel And any traffic routed to this interface will be encrypted and transmitted through the canal Static, dynamic and brand-new SD-WAN policy routing Can be used to route traffic through VTI The prerequisite is that Sophos XG must implement SFOS v18 or above The following chart is an example we used to set up a routed IPsec VPN In the installation and branch offices, XG devices have been deployed as gateways In the installations network, Port2 is the WAN interface coping with the Internet It was in accordance with IP address Port1 is the LAN interface, which is set to IP address And its LAN network resources are within the range of 24 subnet In the chapter network, Port2 is the WAN interface facing the Internet It was in accordance with IP address Port1 is the LAN interface, which is set to IP address And its LAN network assets are in the 24 subnet straddle According to client requirements, limb LAN network It should be able to connect to the installation LAN network riches through the IPsec VPN channel And the traffic should be bidirectional The branch office XG is the VPN tunnel initiator, and the installations XG device is the responder So makes take a look at the steps to set up this situation on XG v18 First, we have to complete the setup steps on the headquarters XG Browse to CONFIGURE> VPN> IPsec Connections And sounds the Add button Enter the appropriate path word Enable the Activate on Save checkbox In this lane, when the situates are saved, the canal will be automatically activated immediately Connection Type adopt Tunnel Interface The Gateway Type is Respond simply Then select the necessary VPN policy In this example, we use the built-in IKEv2 plan Authentication Type hand-picked Preshared Key And penetrate Preshared Key Now, under the Local Gateway division WAN Port2 hand-picked Listening interface Under the Remote Gateway Enter the WAN IP address of the diverge XG device The Local and Remote subnet realms are grayed out because this is a routed VPN Click the Save button Then you can see that the VPN connection has been successfully set up and started Now, browse to CONFIGURE> Network> Interface We can see that the xfrm boundary has been established on the WAN interface of the XG device This is the virtual canal boundary established for IPSec VPN connection When we click on it, we can assign an IP address to it The next pace is to establish firewall rules Let the field LAN network be able to allow the installations LAN network freight, and vice versa First, we browse to PROTECT> Rules and policies> Firewall rules Then click the Add firewall rule button Enter the proper list, select the rule location and the proper radical Enable log option, then adopt VPN in Source zone For Source network We can create a new IP host website object Its IP address is, subnet disguise/ 24 Destination zone select LAN And for Destination structures We want to create another IP host network object Its IP address is, subnet concealment/ 24 services obstruct Any, and then click the Save button Similarly, by clicking the Add firewall rule button We establish rules for outgoing port transaction Enter the appropriate honour, hand-picked the rule location and the suitable radical Enable the log alternative, and then select LAN in the source zone For the Source network, we adopt the IP host object Destination area select VPN For Destination networks, we adopt the IP host object business deter Any, and then click the Save button We can use static routing, dynamic route or SD-WAN policy route procedures Route through the xfrm channel interface In this video, we will discuss static routing of VPN channel traffic And SD-WAN policy route method To street traffic through static routing We browse to Routing> Static routing and clink the Add button Destination IP Please participate, and the subnet disguise is/ 24 interface Select the xfrm path interface and click the Save button In v18, except for static routes We can also use the new SD-WAN policy routing technique Route traffic through the xfrm channel interface, and there are more refined options This is the best preference in a VPN to MPLS failover/ failback situation So, in order to better to route traffic through programme routing We browse to Routing> SD-Wan policy routing And clink the Add button Enter an appropriate list, and select LAN port for incoming interface Source network select IP host object Destination network is the IP host object Then, in the primary gateway option We can prove a new gateway on the xfrm path boundary And use the health status check monitoring alternative when Ping the remote address Then click save Or, if you have an MPLS the purposes of the branch office You can create a gateway on the MPLS port and select it as a backup gateway In this lane, when the VPN tunnel miscarries Traffic will be gave from VPN failure to MPLS And when the channel is re-established, the fault-tolerant return to the VPN connection In this speciman, we keep the backup gateway as None Then save program Browse to Administration> Device Access And enable PING-related signals on the VPN area To ensure that it can be connected to the xfrm channel interface IP through the ping procedure Now, in the word boundary console, by executing the following command Confirm that the SD-WAN policy routing of the reply traffic is enabled If it is turned off, you can enable it by executing the following command So, this completes the setup of the installations XG device On the discipline XG device, we need to establish a same routed VPN tunnel And have the same IKEv2 VPN policy and pre-shared key Listening interface is set to WAN interface Port2 Remote Gateway address as the WAN IP of the XG device in the installations When the VPN channel is connected We browsing to CONFIGURE> Network> Boundary And assign the IP address to the newly established xfrm channel boundary In seek to allow traffic, we have to browse to PROTECT> Rules and policies> Firewall rules And use the branch office and headquarters LAN network subnet to establish 2 firewall rules One for outbound congestion and one for inbound freight Now, in order to superhighway traffic through static route We can browse to Routing> Static routing and form static routing Its end IP is system And adopt xfrm for the outgoing port boundary As discussed earlier If it is necessary to complete the route through the brand-new SD-WAN policy routing Then we can delete the static itinerary Then browse to Routing> SD-Wan programme routing and create a policy The incoming interface is the LAN port Source network is IP network And the Destination network is network Then, in the primary gateway division We can launch a new gateway on the xfrm channel interface And use the health check monitoring option when Ping xfrm IP Then select it as the primary gateway backup gateway stop None Then save programme Browse to Administration> Device Access Then enable the PING option in the VPN area To ensure that PING can be used to connect to the xfrm passageway boundary IP From the bid course console We need to confirm that the SD-WAN policy routing of the reply transaction is enabled This completes the settle of the branch XG device Some mentions and other knowledge related to v1 8 routed VPN reads as follows If VPN traffic encounters the default value masquerading NAT programme Then the traffic will be dumped Therefore, in order to better to amend You can add a clear SNAT programme for related VPN traffic Although it is generally not recommended But if you set up an IPSec connection between policy-based VPN and route-based VPN And encountered some problems Please make sure to keep the routed VPN as the responder to achieve positive results Delete routed VPN connection The relevant channel( xfrm) interface and its dependent positions will be deleted Unbind the WAN interface Corresponding XFRM channel interface and IPSec VPN connection will too be deleted The following are some of the workflow differences between policy-based VPN and routed VPN For routed VPNs, firewall rules cannot be automatically established Because the network is added dynamically When the installations and branch offices have the same internal LAN subnet reach Must implementation world-wide NAT rules to achieve VPN NAT overlap Now, makes take a look at some of the features that are not currently patronized But it will be handled in a future edition GRE channel cannot be established on XFRM interface Cannot compute static multicast routing on XFRM interface DHCP communicate via XFRM Finally, causes look at some troubleshooting steps for routing VPN connections to identify traffic Consider the same network sketch as the instance There is a computer in the branch office, and its IP address is Try to Ping the web server at the headquarters In order to check the traffic from the diverge XG device We browse to Diagnostics> Packet capture And click the Configure button BPF string are entering emcee and proto ICMP And click the Save button Enable toggle switch We can see that the ICMP traffic comes from the LAN interface Port1 And go out through the xfrm interface Similarly, if you “re opening the” record onlooker Select the Firewall module and search for IP We can see the ICMP traffic flowing through the xfrm boundary of the device And the related firewall regulate ID If you click the standard rules ID Will automatically open the firewall rules in the main webUI sheet Therefore, the system administrator can handle extensive investigations as needed In this course, the routed IPSec VPN in Sophos XG v18 Can be applied for online in the context of headquarters and branch offices It can also be used to establish VPN connections with other vendors that support routed VPN methods Hope this video is helpful to you, expressed appreciation for for watching

You May Also Like