Home / ASA / Cisco Security / Sophos / Site to Site IKEv2 IPSec VPN between Sophos XG and Cisco Router

Site to Site IKEv2 IPSec VPN between Sophos XG and Cisco Router

, ,
Site to Site IKEv2 IPSec VPN between Sophos XG and Cisco Router

Today, I will describe how to configure Internet Key Exchange version 2 (IKEv2) and IP Security (IPSec) between the Cisco router and Sophos XG firewall (17.5). Internet Key Exchange Version 2 (IKEv2) is a key management protocol standard that is used in conjunction with the IPsec standard. 

IKEv2 to authenticate to the destination router/Firewall by using either a pre-shared key (PSK) or by using RSA signatures with a Public Key Infrastructure (PKI). IKEv2 must be configured on the source and destination router (peers) and both routers must employ the same authentication method.
  • PSK authenticates each router (peer) by requiring proof of possession of a shared secret. Each router (peer) must have the same shared secret configured.
  • RSA signatures employ a PKI-based method of authentication.  IKEv2 interacts with PKI to obtain the identity certificates and to validate the peer certificates.
Let start IPSec VPN configuration with PSK as below diagram:

Fig 1.1- IPSEC between Cisco and Sophos
I have fixed Public IP on Sophos XG firewall (1.12.12.12) and branch router is getting dynamic WAN IP. First, I will configure a customized IPSec policy on Sophos XG firewall. We can use the IKEV2 predefined policy but I will start from the basic.

Step1: Configure Customize IPSec IKEv2 Policy:

1.   Navigate to the IPsec connection located at VPN >IPSEC POLICIES > Add Policy
2.   I defined customized policy as below details:

Fig 1.2

Policy Name: <Any Identical Name> (Cisco)
Key Exchange (Version): IKEv2
Key negotiation tries: 0 (0 is unlimited)
Re-Key connection: Enabled

Phase 1 Configuration:
Key Life: 8400 Seconds
Re-Key Margin: 360 Seconds
Randomized Re-Kay Margin by 60 Seconds
DH Group: 14 Group
1st Encryption Algorithm: AES128
2nd Encryption Algorithm: AES256
1st & 2nd Authentication Algorithm: SHA1

Phase2 Configuration:
PFS Group:  None
Key Life: 3600
1st Encryption Algorithm: AES256
2nd Encryption Algorithm: AES128
1st Authentication Algorithm: SHA256
2nd Authentication Algorithm: SHA1

Note: Sophos can support minimum one and maximum tree algorithm combinations in Phase1 and Phase2. 

DPD Configuration:
Disable the DPD configuration. It is not working properly with Cisco Routers. 

Step 2: Configure VPN:
Navigate to the IPsec connection located at VPN > IPsec Connections

Fig 1.3

General Settings:
Name: <any Identical Name> (r2)
IP Version: IPv4
Activate on Save: Enable (If it did not enable, Admin must enable the IPSec Connection on after every edit)
Create Firewall No: Disable 
Connection type: Site to Site
Gateway type:  Respond only 

Encryption Settings:
Policy: Cisco <VPN policy which created in Step1 Configuration>
Authentication: Preshared Key <Enter the Preshared Key, I have entered "cisco123">

Gateway Setting:
Listening Interface: <WAN Interface>
Gateway Address: * (Any) 
Local and Remote ID type: DNS
Local ID: <Enter any DNS name> (sophos.lab)
Remote ID: <Cisco Router's ID> (r2.lab)
Local Subnet: Add new Local Subnet (10.10.10.0/24)
Remote Subnet: Add new Remote Subnet (172.16.16.0/24)

Step 3: Brach Cisco Router Configuration:

Cisco Router Configuration::
!
crypto ikev2 proposal proposal
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy Policy
 proposal proposal
!
crypto ikev2 keyring key
 peer sophos
  address 1.12.12.12
  pre-shared-key cisco123
!
crypto ikev2 profile profil
 match identity remote fqdn sophos.lab
 identity local fqdn r2.lab
 authentication remote pre-share
 authentication local pre-share
 keyring local key
!
crypto ipsec transform-set tset ah-sha256-hmac esp-aes 256
 mode tunnel
!
crypto map vpn 10 ipsec-isakmp
 set peer 1.12.12.12
 set ikev2-profile profil
 match address 101
!
interface FastEthernet0/0
Description WAN Interface
 ip address DHCP
duplex full
 crypto map vpn
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 DHCP
!
access-list 101 permit ip 172.16.16.0 0.0.0.255  10.10.10.0 0.0.0.255

Note: You can define multiple Proposals same as Sophos.

Step 4: Generate VPN Traffic From the Branch Site:
Start the Ping to any HQ system/Server. Wow VPN will up after 2-3 ICMP timeout. 

If you are trying to ping Sophos LAN interface/HTTPS Access/SSH Access then it will not allow due to Local Service ACL. Local Service ACL is located in Administration > Device Access. The device carries a default ACL when connected and powered on for the first time. You have to enable all required services over the VPN Zone and apply the settings.

An Article By Deepak Kumar 
Linkedin: https://www.linkedin.com/in/engdeepak/
Twitter: https://twitter.com/Deepakkhw