06-11-2021 12:26 AM
Hi! I have a Sophos xg firewall at my HQ as the main router connected to my ISP (public Ip) and at branch level i have cisco 881 series connected to the ISP with dynamic public ip. I want to create a vpn connection from the HQ to branch level using Gre-IPsec but i am having trouble setting up the link but after extensive research it seems sophos suggest that it is not possible to create a vpn between sophos and cisco with the type of ISP set up that i have. Also to not is that we have 8 remote branches all with same set up as the same branch. We need to filter all branch level traffic from HQ using the Sophos firewall.
Is this possible? If so how do i go about the set up?
Solved! Go to Solution.
06-17-2021 03:53 AM
Thanks for your time and help Pieterh. I know it is a Cisco platform (i had exhausted my avenue for a solution) and i appreciate all your input guys , i will be sure to try the pre-shared keys for a solution.
06-11-2021 04:33 AM
i am not an expert of Sophos - as long as One end have Public IP (that is HQ side) from your Cisco 881 Can establish VPN this required some testing and Logs to be collected if not working ?)
what stage are you, any setup done and testing and logs ?
06-15-2021 12:04 AM
Hi Balaji , am sorry for responding after so long. I have tried the set up with the Sophos having a public ip (my HQ) and cisco on dynamic but my set up is basically a gre-ipsec tunnel so am stuck on and how to configure remote site (public ip address) on the Sophos for my cisco 881 which is on dynamic ip. Do you have another way i can maybe have another more secure and easier set up?
06-11-2021 07:40 AM
1) >>> sophos suggest that it is not possible to create a vpn between sophos and cisco with the type of ISP set up that i have <<<
please explain, what reason does Sophos give?
2) >>> i have cisco 881 series connected to the ISP with dynamic public ip <<<
dynamic ip has its limitations, in worst case you need to modify the Sophos end on each change in 881 public ip-address
in most cases you can resolve the limitation by using a certificate which the 881 uses to authenticate itself to the Sophos
3) if everything else fails you can consider terminating the VPN not on the Sophos, but using another router,
either before or behind the Sophos firewall
06-15-2021 12:07 AM
Hi Pieterh thank you for your response. How do i generate the cisco certificate and what type of vpn set up do you think would best suit this set up because i need sophos to be the firewall for all my remote branches. All traffic must go through sophos for filtering.
06-16-2021 01:30 AM
NB! as this is a Cisco forum, knowledge about the Sophos is limited
the VPN can also be done without using certificates, using only a pre-shared-key,
but because of the dynamic IP, this is not secure as the public-ip cannot be included in the connection profile, and only a pre-shared-key is susceptible to a brute-force attack
here is a cisco doc about using certificate, Digital Certificates/PKI for IPSec VPNs
this uses a Cisco CA, but that is no requirement. you can also use public certificates
in my suggestion 3) all data still traverses the Sophos firewall but the VPN is terminated on a separate router before or after the Sophos.
in my suggestion 2) (and your conversation with Balaji) a dynamic ip can still be a public IP!
but it can change from time-to-time
your VPN will be down until you reconfigure the VNP on the Sophos with the new (dynamic) public ip of the branch router
06-17-2021 03:53 AM
Thanks for your time and help Pieterh. I know it is a Cisco platform (i had exhausted my avenue for a solution) and i appreciate all your input guys , i will be sure to try the pre-shared keys for a solution.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide