Solved: Cisco 881 to Sophos xg vpn while on Dynamic ip

kelvinmuriuki91 · ‎06-11-2021

Hi! I have a Sophos xg firewall at my HQ as the main router connected to my ISP (public Ip) and at branch level i have cisco 881 series connected to the ISP with dynamic public ip. I want to create a vpn connection from the HQ to branch level using Gre-IPsec but i am having trouble setting up the link but after extensive research it seems sophos suggest that it is not possible to create a vpn between sophos and cisco with the type of ISP set up that i have. Also to not is that we have 8 remote branches all with same set up as the same branch. We need to filter all branch level traffic from HQ using the Sophos firewall.
Is this possible? If so how do i go about the set up?

kelvinmuriuki91 · ‎06-17-2021

Thanks for your time and help Pieterh. I know it is a Cisco platform (i had exhausted my avenue for a solution) and i appreciate all your input guys , i will be sure to try the pre-shared keys for a solution.

View solution in original post

balaji.bandi · ‎06-11-2021

i am not an expert of Sophos - as long as One end have Public IP (that is HQ side) from your Cisco 881 Can establish VPN this required some testing and Logs to be collected if not working ?)

what stage are you, any setup done and testing and logs ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kelvinmuriuki91 · ‎06-15-2021

Hi Balaji , am sorry for responding after so long. I have tried the set up with the Sophos having a public ip (my HQ) and cisco on dynamic but my set up is basically a gre-ipsec tunnel so am stuck on and how to configure remote site (public ip address) on the Sophos for my cisco 881 which is on dynamic ip. Do you have another way i can maybe have another more secure and easier set up?

pieterh · ‎06-11-2021

1) >>> sophos suggest that it is not possible to create a vpn between sophos and cisco with the type of ISP set up that i have <<<
please explain, what reason does Sophos give?

2) >>> i have cisco 881 series connected to the ISP with dynamic public ip <<<
dynamic ip has its limitations, in worst case you need to modify the Sophos end on each change in 881 public ip-address

in most cases you can resolve the limitation by using a certificate which the 881 uses to authenticate itself to the Sophos

3) if everything else fails you can consider terminating the VPN not on the Sophos, but using another router,

either before or behind the Sophos firewall

kelvinmuriuki91 · ‎06-15-2021

Hi Pieterh thank you for your response. How do i generate the cisco certificate and what type of vpn set up do you think would best suit this set up because i need sophos to be the firewall for all my remote branches. All traffic must go through sophos for filtering.

pieterh · ‎06-16-2021

NB! as this is a Cisco forum, knowledge about the Sophos is limited

the VPN can also be done without using certificates, using only a pre-shared-key,
but because of the dynamic IP, this is not secure as the public-ip cannot be included in the connection profile, and only a pre-shared-key is susceptible to a brute-force attack
here is a cisco doc about using certificate, Digital Certificates/PKI for IPSec VPNs
this uses a Cisco CA, but that is no requirement. you can also use public certificates

in my suggestion 3) all data still traverses the Sophos firewall but the VPN is terminated on a separate router before or after the Sophos.

in my suggestion 2) (and your conversation with Balaji) a dynamic ip can still be a public IP!
but it can change from time-to-time
your VPN will be down until you reconfigure the VNP on the Sophos with the new (dynamic) public ip of the branch router

kelvinmuriuki91 · ‎06-17-2021

Thanks for your time and help Pieterh. I know it is a Cisco platform (i had exhausted my avenue for a solution) and i appreciate all your input guys , i will be sure to try the pre-shared keys for a solution.