Professional Documents
Culture Documents
Search... LOGIN
HOME
Quick Links
Sophos Firewall: How to establish a Site-to-Site
IPsec VPN connection between Cyberoam and
Sophos Firewalls using a preshared key Sample Submissions
Sophos Community
KB-000035960 Mar 4, 2020 5 people found this article helpful
Sophos Labs
Overview Twitter Support
This article describes the steps to configure a Site-to-Site IPsec VPN connection between Cyberoam and Sophos
XG Firewalls using preshared key as an authentication method for VPN peers.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Applies to the following Sophos products and versions
Sophos Firewall
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Go to Hosts and Services > IP Host and select Add to create the local LAN.
Go to Hosts and Services > IP Host and select Add to create the remote LAN.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Set the Authentication Type to preshared key.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
In Remote Subnet field, choose the remote
LAN created earlier.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
By clicking Finish, the following screen is displayed, showing the above created connection.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Add two firewall rules allowing VPN traffic
Go to Firewall and click +Add Firewall Rule. Create two user/network rules as shown below.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Configuring Cyberoam Firewall
Add local and remote LAN
Go to OBJECTS > Hosts and select Add to create the local LAN.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Go to OBJECTS > Hosts and select Add to create the remote LAN.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Set the Authentication Type to preshared key.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Review the IPsec connection summary and
click Finish.
By clicking Finish, the following screen is displayed, showing the above created connection.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Add two firewall rules allowing VPN traffic
Go to FIREWALL > Rule > IPv4 Rule and click Add. Create two rules as shown below.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Establishing the IPsec connection
Once both Firewall devices at the head and branch offices are configured, establish the IPsec connection between
them. Since the Firewall at the branch office initiates the connection, from Cyberoam firewall, go to VPN > IPSec >
Connections and click the under Status (Connection).
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
From Sophos XG Firewall, go to VPN > IPsec Connections and verify that the IPsec connection has established.
Results
A ping test from a machine behind Sophos XG Firewall to a machine behind Cyberoam Firewall and vice versa
should work.
From Sophos XG Firewall go to Firewall and verify that VPN rules allow ingress and egress traffic.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Go to Reports > VPN and verify the IPsec usage.
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
From Cyberoam Firewall, go to FIREWALL > Rule > IPv4 Rule and verify that VPN rules allow download and upload
data.
Note:
Make sure that VPN firewall rules are on the top of the Firewall Rule list.
In a head and branch office configuration, the Cyberoam Firewall on the branch office usually acts as the
tunnel initiator and the Sophos Firewall on the head office as a responder due to the following reasons:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
When the branch office device is configured with a dynamic IP address, the head office device cannot
initiate the connection.
As the branch offices number vary, it is recommended that each branch office retry the connection
instead of the head office retrying all connections to branch offices.
Related information
Sophos Firewall: How to change firewall rule order
Sophos Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key
Sophos Firewall: How to establish a Site-to-Site IPsec VPN connection using RSA Keys
Sophos Firewall: How to establish a Site-to-Site IPsec connection using Digital Certificates
Sophos Firewall: How to apply NAT over a Site-to-Site IPsec VPN connection
Sophos Firewall: How to configure an IPsec VPN connection with multiple end points
Sophos Firewall: How to set a Site-to-Site IPsec VPN connection between XG and SG Firewalls using a
preshared key
Sophos Firewall: How to create a hub and spoke IPsec VPN
Sophos Firewall: Troubleshooting steps when traffic is not passing through the VPN tunnel
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical
issues.
Did this article provide the information you were looking for?
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For
technical support post a question to the community. Or click here for new feature/product improvements.
Alternatively for paid/licensed products open a support ticket.
Yes No
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Submit
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD