IPsec Tunnel creation

How to create an IPsec tunnel between two Sophos SG UTM branches.

Log into the main office branch, where remote, and make the following configurations: Site-to-site VPN > IPsec > New Remote Gateway

Configure the Remote Gateway first

  • Name: Description of the remote connection
  • Gateway type: Respond only (for the remote site would initiate the tunnel connection)
  • Authentication type: Pre-shared key (both sites need to match)
  • Remote network: Internal HQ (specify the remote networks that would be allowed into the main branch, they need to match on both sides)

IP sec Tunnel 1

Create New IPsec Connection second

  • Name: Description of the remote site
  • Remote gateway: IPsec Example (remote gateway just created)
  • Local interface: choose the interface to which the remote branch is going to connect to – publicly available address that remote site can reach.
  • Policy: AES-128 (the policy would need to be exactly the same on the UTM)

ip-sec-tunnel-2

Log into the remote branch that needs to connect to the main office via IPsec: Site-to-site VPN > IPsec > New Remote Gateway

Configure the Remote Gateway first

  • Name: Description of the remote connection
  • Gateway type: Initiate Connection (the remote site would initiate the tunnel connection)
  • Gateway:
  • Authentication type: Pre-shared key (both sites need to match)
  • Remote network: Internal HQ (specify the remote networks that would be allowed into the main branch, they need to match on both sides)

Sophos UTM 9

How to generate a Certificate Signing Request (CSR) on Sophos UTM 9

Please exclude all Brackets from the following commands.

  1. Log into the back end of the UTM.
  2. Log in as root su.
  3. Then switch to the home directory (cd/home/login)
  4. Now create a openvpn.cnf file with the following commands (cat/et/ssl/openssl.cnf | grep -v SUBJECT_ALT_NAME > ./openssl.config)
  5. Then we have to generate the CSR.
  6. openssl req -config  ./openssl.config -new -newkey rsa:2048 -out www.yourdomain.com.csr
  7. You should now get prompted for a passphrase and a Confirmation Passphrase (Enter the passphrase of your choice and press enter)
  8. You should now be prompted for details for the CSR ( Enter the details and hit enter again.
  9. The completed CSR will be saved to /home/login and can be downloaded with WinSCP.