Workflow Guide. Establish Site-to-Site VPN Connection using Digital Certificates. For Customers with Sophos Firewall Document Date: November 2015



Similar documents
Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

How To Establish IPSec VPN between Cyberoam and Microsoft Azure

How To Configure SSL VPN in Cyberoam

How To Configure Syslog over VPN

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuring IPsec VPN between a FortiGate and Microsoft Azure

Chapter 4 Virtual Private Networking

Chapter 7 Managing Users, Authentication, and Certificates

How To Configure L2TP VPN Connection for MAC OS X client

How To Industrial Networking

How To Configure Apple ipad for Cyberoam L2TP

Connecting an Android to a FortiGate with SSL VPN

Configuring a VPN for Dynamic IP Address Connections

ISG50 Application Note Version 1.0 June, 2011

How to access peers with different VPN through IPSec. Tunnel

Enable VPN PPTP Server Function

ZyWALL USG-Series. How to setup a Site-to-site VPN connection between two ZyWALL USG series.

VPN L2TP Application. Installation Guide

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

How do I set up a branch office VPN tunnel with the Management Server?

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Fireware How To Network Configuration

VPN Tracker for Mac OS X

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Configuring an IPsec VPN to provide ios devices with secure, remote access to the network

Scenario 1: One-pair VPN Trunk

VPN Configuration of ProSafe VPN Lite software and NETGEAR ProSafe Router:

Chapter 8 Virtual Private Networking

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

How To Configure An Ipsec Tunnel On A Network With A Network Gateways (Dfl-800) On A Pnet 2.5V2.5 (Dlf-600) On An Ipse Vpn

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

How To Configure Virtual Host with Load Balancing and Health Checking

V310 Support Note Version 1.0 November, 2011

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Configure VPN between ProSafe VPN Client Software and FVG318

Configure IPSec VPN Tunnels With the Wizard

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

VPN PPTP Application. Installation Guide

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Chapter 6 Virtual Private Networking

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Using IPsec VPN to provide communication between offices

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

How To Setup Cyberoam VPN Client to connect a Cyberoam for remote access using preshared key

Using a VPN with Niagara Systems. v0.3 6, July 2013

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

Based on the VoIP Example 1(Basic Configuration and Registration), we will introduce how to dial the VoIP call through an encrypted VPN tunnel.

How to setup PPTP VPN connection with DI-804HV or DI-808HV using Windows PPTP client

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Configuring SSL VPN on the Cisco ISA500 Security Appliance

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Configuring Global Protect SSL VPN with a user-defined port

VPN. VPN For BIPAC 741/743GE

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

How To - Setup Cyberoam VPN Client to connect to a Cyberoam for the remote access using preshared key

WatchGuard Mobile User VPN Guide

Quick Note 041. Digi TransPort to Digi TransPort VPN Tunnel using OpenSSL certificates.

Configuring IPsec between a Microsoft Windows XP Professional (1 NIC) and the VPN router

VPN Tracker for Mac OS X

Using a VPN with CentraLine AX Systems

Global VPN Client Getting Started Guide

Certificate Management. PAN-OS Administrator s Guide. Version 7.0

Gateway-to-Gateway VPN with Certificate

Zeroshell: VPN Host-to-Lan

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Overview. Author: Seth Scardefield Updated 11/11/2013

VPN Tracker for Mac OS X

Global VPN Client Getting Started Guide

VPN Wizard Default Settings and General Information

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

Barracuda Link Balancer

ZyWALL OTPv2 Support Notes

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

App Orchestration 2.5

Certificate Management

Barracuda Link Balancer Administrator s Guide

Configuring a single-tenant BIG-IP Virtual Edition in the Cloud

Chapter 9 Monitoring System Performance

VPNC Interoperability Profile

ipad Installation and Setup

Scenario: Remote-Access VPN Configuration

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

Using Rsync for NAS-to-NAS Backups

VPNC Interoperability Profile

Transcription:

Workflow Guide Establish Site-to-Site VPN Connection using Digital Certificates For Customers with Sophos Firewall Document Date: November 2015 November 2015 Page 1 of 14

Establish Site-to-Site VPN Connection using Digital Certificates Contents Overview... 3 Prerequisites... 3 Scenario... 3 Configuration... 4 Step 1: Upload HO Sophos Firewall s Default CA to BO Sophos Firewall (SF)...4 Head Office...4 Branch Office...5 Step 2: Upload BO Sophos Firewall s Default CA to HO Sophos Firewall...6 Step 3: Upload HO Sophos Firewall s Digital Certificate to BO Sophos Firewall...6 Head Office...6 Branch Office...7 Step 4: Upload BO Sophos Firewall s Digital Certificate to HO Sophos Firewall...8 Step 5: Configure IPsec Connection...8 Head office...8 Branch Office... 11 November 2015 Page 2 of 14

Establish Site-to-Site VPN Connection using Digital Certificates Overview A digital certificate is an electronic "passport" that allows a person, computer or organization to exchange information securely over the Internet using the public key infrastructure (PKI). A digital certificate may also be referred to as a public key certificate. Just like a passport, a digital certificate provides identifying information, is forgery resistant and can be verified because it was issued by an official, trusted agency. The certificate contains the name of the certificate holder, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting messages and digital signatures) and the digital signature of the certificate-issuing authority (CA) so that a recipient can verify that the certificate is real. Prerequisites Exchange Certificate Authority (CA) and Digital Certificates between a Head Office (HO) and Branch Office (BO) and, then, configure and establish an IPsec connection between them. Scenario Configure a site-to-site IPsec VPN connection between Site A and Site B by following the steps given below. In this article, we have used the following parameters to create the VPN connection. Network Parameters HO Network details Local WAN IP address 10.206.1.173 Local LAN address 172.17.17.0/24 BO Network details Remote WAN IP address 10.206.1.213 Remote LAN Network 172.16.16.0/24 November 2015 Page 3 of 14

Configuration You must be logged on to the Admin Console of both HO and BO SF as an administrator with Read-Write permission for relevant feature(s). Step 1: Upload HO Sophos Firewall s Default CA to BO Sophos Firewall (SF) Head Office Go to Objects > Identity > Certificate Authority or System > VPN > Certificate Authority and select Default CA. Specify the details of the CA, as shown below. November 2015 Page 4 of 14

Once CA is generated, download the CA to your local computer by clicking the Download Icon against it. A file named local_certificate_authority.tar.gz is downloaded. Store and uncompress the file. The file contains the CA Root Certificate in Two (2) Formats: - Default.pem (PEM File) - Default.der (Security Certificate) Branch Office Upload the CA Certificates (downloaded from HO) to BO SF. To upload CA, go to Objects > Identity > Certificate Authority or System > VPN > Certificate Authority and click Add. Upload the CA Root Certificate in either PEM or DER format. Click OK to save the HO Default CA in BO Sophos Firewall. November 2015 Page 5 of 14

Step 2: Upload BO Sophos Firewall s Default CA to HO Sophos Firewall Configure and download the Default CA in BO SF and upload it on HO SF using similar steps as shown in step 1. Step 3: Upload HO Sophos Firewall s Digital Certificate to BO Sophos Firewall Head Office Create a Self-Signed Certificate in HO SF. Go to Objects > Identity > Certificate or System > VPN > Certificate and click Add to create a new certificate. Select Generate Self Signed Certificate and specify the details as shown below. Click Save to save certificate. Once Certificate is generated, download it to your local computer by clicking the Download Icon against it. November 2015 Page 6 of 14

A file named HO_Certificate.tar.gz is downloaded. Store and uncompress the file. The file contains the following certificate files: - UserPrivateKey.key (KEY File) - UserCertificate.pem (PEM File) - RootCertificate (PEM File) - Password.txt (Passphrase if Key Encryption is enabled) - HO_Certificate.p12 (Personal Information Exchange) Branch Office Upload the Certificate (downloaded from HO Sophos Firewall) to BO Sophos Firewall. To upload certificate, go to Objects > Identity > Certificate or System > VPN > Certificate and click Add. Select Certificate as UserCertificate.pem, Private Key as UserPrivateKey.pem and specify the Passphrase. November 2015 Page 7 of 14

Click Save to save the certificate. Step 4: Upload BO Sophos Firewall s Digital Certificate to HO Sophos Firewall Configure and download the Self-signed certificate in BO SF and upload it on HO SF using similar steps as shown in step 3. Step 5: Configure IPsec Connection Head office Implement the following steps on HO Sophos Firewall. 1. To create a new IPsec connection, go to System > VPN > IPsec and click Add. Create the connection using the following parameters. Parameters Value Description General Settings Name HO_to_BO_IPsec Specify a unique name to identify IPsec Connection. Connection Type SitetoSite Select SitetoSite. Policy Action on VPN Restart Authentication Details Authentication Type DefaultHeadOffice Respond Only Digital Certificate Select policy to be used for connection. Policy can also be added by clicking Create New link. Select the Action to be taken on the connection when VPN services or Device restarts. Available Options - Respond Only: Keeps connection ready to respond to any incoming request. - Initiate: Activates connection on system/service start so that the connection can be established whenever required. - Disable: Keeps connection disabled till the user activates. Select Authentication Type. Authentication of user depends on the type of connection. Local Certificate HOCertificate Select the local certificate that should be used for authentication by the device. Remote Certificate BOCertificate Select the remote certificate that should be used for authentication by remote peer. Endpoint Details Local PortB-10.206.1.173 Select Local WAN port from the list. IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces. November 2015 Page 8 of 14

Remote 10.206.1.213 Specify an IP Address or domain name of the remote peer. Click Add icon against the option Remote to add new endpoint pairs or click Remove icon to remove the endpoint pairs. Network Details IP Family IPv4 Local Subnet 172.17.17.0/24 Select IP family to configure IPsec VPN tunnels with mixed IP families. Available Options: - IPv4 - IPv6 By default, IPv4 will be selected. Four types of IPsec VPN tunnels can be created: 4 in 4 (IPv4 subnets with IPv4 gateway) 6 in 6 (IPv6 subnets with IPv6 gateway) 4 in 6 (IPv4 subnets with IPv6 gateway) 6 in 4 (IPv6 subnets with IPv4 gateway) Select Local LAN Address of Site A. Add and Remove LAN Address using Add Button and Remove Button. Remote LAN Network 172.16.16.0/24 Select IP Addresses and netmask of remote network in Site B which is allowed to connect to the Device server through VPN tunnel. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list. November 2015 Page 9 of 14

2. Click Save to create IPsec connection. On clicking Save, the following screen is displayed showing the connection created above. November 2015 Page 10 of 14

3. Click under Status (Active) to activate the connection. Branch Office Implement the following steps on BO Sophos Firewall 1. To create a new IPsec connection, go to System >VPN > IPsec and click Add. Create the connection using the following parameters. Parameters Value Description General Settings Name BO_to_HO_IPSec Specify a unique name to identify IPsec Connection. Connection Type SitetoSite Select SitetoSite. Policy DefaultBranchOffice Select policy to be used for connection. Policy can also be added by clicking Create New link. November 2015 Page 11 of 14

Select the Action to be taken on the connection when VPN services or Device restarts. Action on VPN Restart Authentication Details Authentication Type Local Certificate Remote Certificate Endpoint Details Initiate Digital Certificate BOCertificate HOCertificate Available Options - Respond Only: Keeps connection ready to respond to any incoming request. - Initiate: Activates connection on system/service start so that the connection can be established whenever required. - Disable: Keeps connection disabled till the user activates. Select Authentication Type. Authentication of user depends on the type of connection. Select the local certificate that should be used for authentication by the device. Select the remote certificate that should be used for authentication by remote peer. Local PortB-10.206.1.213 Remote 10.206.1.173 Select Local WAN port from the list. IP Aliases created for WAN interfaces will be listed along with the default WAN interfaces. Specify an IP Address or domain name of the remote peer. Click Add icon click Remove icon against the option Remote to add new endpoint pairs or to remove the endpoint pairs. Network Details IP Family IPv4 Local Subnet 172.16.16.0/24 Select IP family to configure IPsec VPN tunnels with mixed IP families. Available Options: - IPv4 - IPv6 By default, IPv4 will be selected. Four types of IPsec VPN tunnels can be created: 4 in 4 (IPv4 subnets with IPv4 gateway) 6 in 6 (IPv6 subnets with IPv6 gateway) 4 in 6 (IPv4 subnets with IPv6 gateway) 6 in 4 (IPv6 subnets with IPv4 gateway) Select Local LAN Address of Site B. Add and Remove LAN Address using Add Button and Remove Button. Remote LAN Network 172.17.17.0/24 Select IP Addresses and netmask of remote network in Site A which is allowed to connect to the Device server through VPN tunnel. Multiple subnets can be specified. Select IP Hosts from the list of IP Hosts available. You can also add a new IP Host and include in the list. November 2015 Page 12 of 14

4. Click Save to create IPsec connection. On clicking Save, the following screen is displayed showing the connection created above. November 2015 Page 13 of 14

Click under Status (Active) and Status (Connection). The above configuration establishes an IPsec connection between Two (2) sites. Note: Make sure that Security Policies that allow LAN to VPN and VPN to LAN traffic are configured. In a Head Office and Branch Office setup, usually the Branch Office acts as the tunnel initiator and Head Office acts as a responder due to following reasons: Since Branch Office or other Remote Sites have dynamic IPs, Head Office is not able to initiate the connection. As there can be many Branch Offices, to reduce the load on Head Office it is a good practise that Branch Offices retries the connection instead of the Head Office retrying all the branch office connections. Document Version: 1.0 6 November, 2015 November 2015 Page 14 of 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information