Skip to main content
Skip table of contents

Sophos XG V19+ ikev2 (dynamic)

Configuring Sophos Next Generation Firewall

Tested Version: Sophos XG version 19

In this section we will refer to the configuration file you can download from AWS as “template conf” and will explain how to use its contents for configuring Sophos XG V19

As a reference for this guide, you can find here the full AWS file: Sophos XG V19+ ikev2 (dynamic).txt


Create VPN Tunnels

Open the web interface of the firewall and move to Site-to-site VPN > Amazon VPC > Amazon VPC connection setup:

image-20250311-080042.png

Select “Use VPC configuration file” and upload the configuration file in “Choose File” 

After few minutes you should be able to see both tunnel up and running:

image-20250311-080059.png

Go to System > Profiles > IPsec profiles to view  the VPN Policy of Internet Key Exchange (IKE) as the conf template

image-20250311-080113.png

Tunnel 1

<ike>
      <authtype>psk</authtype>
      <authentication_protocol>sha1</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>28800</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>main</mode>
      <pre_shared_key>45yRVCcBqc6Gr0umXrSrBxshu3YaQone</pre_shared_key>
</ike>
<ipsec>
      <key_exchange>ikev2</key_exchange>
      <protocol>esp</protocol>
      <authentication_protocol>hmac-sha1-96</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>3600</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>tunnel</mode>
      <clear_df_bit>true</clear_df_bit>
      <fragmentation_before_encryption>true</fragmentation_before_encryption>
      <tcp_mss_adjustment>1379</tcp_mss_adjustment>
      <dead_peer_detection>
        <interval>10</interval>
        <retries>3</retries>
      </dead_peer_detection>
    </ipsec>

image-20250311-080135.png

Tunnel 2

<ike>
      <authtype>psk</authtype>
      <authentication_protocol>sha1</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>28800</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>main</mode>
      <pre_shared_key>MoKSN15pp0xVId2Vnk_3hYJildOI.7mf</pre_shared_key>
</ike>
<ipsec>
      <key_exchange>ikev2</key_exchange>
      <protocol>esp</protocol>
      <authentication_protocol>hmac-sha1-96</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>3600</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>tunnel</mode>
      <clear_df_bit>true</clear_df_bit>
      <fragmentation_before_encryption>true</fragmentation_before_encryption>
      <tcp_mss_adjustment>1379</tcp_mss_adjustment>
      <dead_peer_detection>
        <interval>10</interval>
        <retries>3</retries>
      </dead_peer_detection>
</ipsec>

image-20250311-080151.png

Configure BGP

In Configure > Routing |> BGP it’s showed the configuration of BGP as the conf template:

<bgp>        <asn>65000</asn>        <hold_time>30</hold_time></bgp><tunnel_inside_address>        <ip_address>169.254.185.53</ip_address>        <network_mask>255.255.255.252</network_mask>        <network_cidr>30</network_cidr></tunnel_inside_address><tunnel_inside_address>        <ip_address>169.254.247.229</ip_address>        <network_mask>255.255.255.252</network_mask>        <network_cidr>30</network_cidr></tunnel_inside_address>

To establish BGP routes between your network and Amazon VPC, you must add the local subnet to your BGP networks. 
Go to Routing > BGP > Networks, click Add and insert you local network

image-20250311-080212.png

You must enable the dynamic routing for the VPN zone for Sophos Firewall to use BGP routing with Amazon VPC.
Go to Administration > Device Access and enable Dynamic Routing for the VPN zone.

image-20250311-080324.png

Create firewall rules for VPN traffic

You must create outbound and inbound firewall rules to allow traffic between your local network and Amazon VPC.

To create a firewall rule for outbound VPN traffic, go to Rules and policies > Firewall rules > Add firewall rule, and click New firewall rule.

image-20250311-080406.png

In this case the Amazon VPC Networks is 10.148.0.0/16

To check the status of BGP and Routing go to Routing > Information > BGP

image-20250311-080454.png

Testing

Going back Site-to-site VPN > Amazon VPC >Amazon VPC connection we should be able to see both tunnels up:

image-20250311-080512.png

Increase the security in the VPN connection

Now, since AWS side VPN tunnels support better security, we can adjust Sophos configuration accordingly.

So we can use:

  • AES-256 instead of AES-128

  • SHA512 instead of SHA1

  • Diffie-Hellman group 18 instead of DH 2, Sophos supports DH18

  • IKEv2 whenever possible

Let’s adjust Sophos configuration:

Go to System > Profiles > IPsec profiles > edit both tunnels with the new parameters:

image-20250311-080559.png

Now the IPSec tunnels will be up and running with maximum security:

We have done!

image-20250311-080702.png

For more information and support please contact our UCCS Onboarding Team

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.