Create a Site-to-Site VPN Using Sophos UTM

Requirements

Two running instances of Sophos UTM with the following basic characteristics:

• Each Sophos appliance should have a public IP assigned to the external NIC of the appliance.
• Each Sophos appliance should have basic configuration to serve as gateway for Internet access.
• Either a full or trial Sophos license to be able to use the appliance’s VPN features.
• Network connectivity between these two appliances.
• Remote Desktop, ping, or other application that can be used for testing connectivity through the tunnel.

Sample configurations used for this tutorial

Below is a sample representation of the topology to be used for this tutorial.

To set up this topology, this tutorial will make use of two ProfitBricks Virtual Data Centers (VDCs). Each virtual data center is self-contained and therefore will act as two separate physical locations even though they are technically on the same physical data center.

Here are the sample networking details that will be used during this tutorial, and a screen shot for one of these VDCs. The second VDC should look identical except that we will use a different internal IP space (subnet) to avoid unnecessary NAT rules.

• VDC-01 Sophos Public IP: 162.254.X.X
• VDC-01 Sophos Internal IP: 192.168.1.1
• VDC-01 Mgmt Server Internal IP: 192.168.1.10
• VDC-02 Sophos Public IP: 208.94.Y.Y
• VDC-02 Sophos Internal IP: 192.168.2.1
• VDC-02 Mgmt Server Internal IP: 192.168.2.10

Set up the remote gateway

On your primary Sophos UTM (VDC-01), go to Site-to-Site VPN located on the left navigation menu. Then select the IPSec sub-menu option as depicted below.

Next, go to the Remote Gateways tab, click on the New Remote Gateway button, and fill out the details accordingly.

Here is a sample configuration:

• Name: VDC-02
• Gateway type: Initiate connection.
• Gateway: Click the + button to create a new Host by entering the details for the VDC-02 Sophos (Public IP).
• In this scenario, this would be the 208.94.Y.Y public IP.
• Authentication type: Preshared key
• Key: Enter a password to be used for the creation of the tunnel.
• Repeat: Re-enter a password to be used for the creation of the tunnel.
• VPN ID type: IP address
• VPN ID (optional): (Leave blank)
• Remote networks: Click the + button to create a new Network by entering the details for the VDC-02 internal LAN.
• In this scenario, this would be the 192.168.2.0 range
• Comment: VDC-02 Remote Gateway

Click the Save button

Set up the IPsec connection

The next step is to go over to the Connections tab and click on the New IPsec Connection button.

Here is the sample configuration for our scenario.

• Name: VDC-02 Connection
• Remote Gateway: VDC-02
• Local interface: External (WAN)
• Policy: AES-256 (this is a built-in policy)
• Local Network: Internal (LAN) (Network)
• This is done by clicking on the Folder icon and dragging and dropping the “Network”.
• Check the Automatic firewall rules.
• Comments: VDC-02 IPSec Connection

Click the Save button.

Set up the secondary Sophos UTM

The primary Sophos UTM is now configured to connect to the secondary Sophos UTM. The next step is to perform the previous steps to set up the secondary Sophos UTM.

The configuration steps will be identical, but the information used (public IP, local subnet, etc.) will be different.

Verify that the Site-to-Site VPN is working

Once the second Sophos UTM is configured as described above, the tunnel should be established automatically.

You can verify this by clicking on the “Site-to-Site VPN” on the left navigation menu as shown below.

Test the VPN tunnel

The last step is simply to test the VPN tunnel by pinging between management servers, establish a remote desktop connection or something along those lines.