Hi all! This article will be devoted to an overview of the VPN functionality in the Sophos XG Firewall product. In the previous we looked at how to get this home network security solution for free with a full license. Today we will talk about the VPN functionality that is built into Sophos XG. I will try to explain what this product can do, as well as give examples of setting up an IPSec Site-to-Site VPN and a custom SSL VPN. So, let's get to the review.
First of all, let's look at the licensing table:
You can read more about how Sophos XG Firewall is licensed here:
But in this article, we will only be interested in those items that are highlighted in red.
The basic VPN functionality is included in the basic license and is purchased only once. This is a lifetime license and does not require renewal. The Base VPN Options module includes:
Site to Site:
- SSL VPN
- IPSec VPN
Remote Access (Client VPN):
- SSL VPN
- IPsec Clientless VPN (with free user app)
- L2TP
- PPTP
As you can see, all popular protocols and types of VPN connections are supported.
Also, Sophos XG Firewall has two more types of VPN connections that are not included in the basic subscription. These are RED VPN and HTML5 VPN. These VPN connections are included in the Network Protection subscription, which means that in order to use these types, you must have an active subscription, which also includes the network protection functionality - IPS and ATP modules.
RED VPN is a proprietary L2 VPN from Sophos. This type of VPN connection has a number of advantages over Site-to-site SSL or IPSec when setting up a VPN between two XGs. Unlike IPSec, RED tunnel creates a virtual interface on both ends of the tunnel, which helps with troubleshooting problems, and unlike SSL, this virtual interface is fully customizable. The administrator has full control over the subnet within the RED tunnel, making it easier to resolve routing issues and subnet conflicts.
HTML5 VPN or Clientless VPN - A specific type of VPN that allows you to stream services through HTML5 right in the browser. Service types that can be configured:
- RDP
- telnet
- SSH
- VNC
- FTP
- FTPS
- SFTP
- SMB
But it is worth considering that this type of VPN is used only in special cases and it is recommended, if possible, to use the VPN types from the lists above.
Practice
Let's see in practice how to configure several of these types of tunnels, namely: Site-to-Site IPSec and SSL VPN Remote Access.
Site-to-Site IPSec VPN
Let's start with how to set up a Site-to-Site IPSec VPN tunnel between two Sophos XG Firewalls. Under the hood, strongSwan is used, which allows you to connect to any router with IPSec support.
You can use a convenient and quick setup wizard, but we will go the general way so that based on this instruction, Sophos XG can be combined with any IPSec equipment.
Open the policy settings window:
As we can see, there are already preset settings, but we will create our own.
Let's configure the encryption settings for the first and second phases and save the policy. By analogy, we do the same actions on the second Sophos XG and proceed to setting up the IPSec tunnel itself
Enter the name, mode of operation and configure the encryption settings. For example, we will use Preshared Key
and specify the local and remote subnets.
Our connection has been created
By analogy, we make the same settings on the second Sophos XG, with the exception of the operating mode, we put Initiate the connection there
We now have two tunnels configured. Next, we need to activate and run them. This is done very simply, you need to click on the red circle under the word Active to activate and on the red circle under Connection to start the connection.
If we see this picture:
So our tunnel is working correctly. If the second LED is solid red or amber, then something has been misconfigured in encryption policies or local and remote subnets. Let me remind you that the settings should be mirrored.
Separately, I want to highlight that it is possible to create Failover groups from IPSec tunnels for fault tolerance:
Remote Access SSL VPN
Let's move on to Remote Access SSL VPN for users. Under the hood, the standard OpenVPN is spinning. This allows users to connect through any client that supports .ovpn configuration files (for example, the standard connection client).
First, you need to configure the OpenVPN server policies:
Specify the transport for connection, configure the port, the range of ip addresses for connecting remote users
Also, you can specify the encryption settings.
After configuring the server, we proceed to configure client connections.
Each SSL VPN connection rule is created for a group or for an individual user. Each user can have only one connection policy. According to the settings, of interest, for each such rule, you can specify how individual users who will use this setting or group from AD, you can check the box so that all traffic wraps in the VPN tunnel or specify ip addresses, subnets or FQDN names available to users . Based on these policies, an .ovpn profile with settings for the client will be automatically created.
Using the user portal, the user can download both an .ovpn file with VPN client settings and a VPN client installation file with an embedded connection settings file.
Conclusion
In this article, we briefly went over the VPN functionality in the Sophos XG Firewall product. We looked at how you can configure IPSec VPN and SSL VPN. This is not a complete list of what this solution can do. In the following articles I will try to review RED VPN and show how it looks in the solution itself.
Thank you for your time.
If you have any questions about the commercial version of XG Firewall, you can contact us - the company , Sophos distributor. It is enough to write in free form on .
Source: habr.com