Configure Tunnels with Sophos XG IPsec

This document provide information about how to setup IPsec tunnels between a Sophos XG Firewall and Cisco Umbrella to provide protection for endpoints that are routed to Umbrella through an IPsec tunnel. This document will cover routed IPsec tunnels.

Note: This document is based on Sophos XG version 18.05.586. While we expect that IPsec tunnels will continue to work with devices as each vendor updates their device, we cannot guarantee connectivity for versions not explicitly listed as tested in this document.

Table of Contents

Configure Tunnels in Umbrella

  1. Navigate to Deployments Network Tunnels and click Add.
  2. Give the Tunnel a name and choose Other as Device Type.
  1. Choose FQDN as the Authentication Method.
  2. Choose a Tunnel ID and a Passphrase.
  1. Click Save.
    Note: Copy the Tunnel ID and Passphrase as this information is required to configure the tunnel in Sophos XG.

Configure Sophos XG – IPsec Policy

Use SD-WAN Policy Routing to direct traffic down the tunnel to Umbrella.

  1. In Sophos XG, navigate to Configure VPN IPsec policies and click Add.
  2. Give it a meaningful name so you can easily find it when attaching it to the IPsec Tunnel.
  3. Leave Key Exchange and Authentication Mode set to IKEv2 and Main mode respectively.
  1. Add values for Phase 1 and Phase 2.
    Note: If a field is not listed, in the following table use the default value.
Phase 1Value
Key Life28800
DH group (key group)19 & 20
AuthenticationSHA2 256
Phase 2Value
PFS group (DH group)Same as phase-1
Key life3600
AuthenticationSHA2 256
Dead Peer DetectionValue
Check peer after every10 Seconds
When peer unreachableRe-initiate

Configure IPsec Connections

  1. Navigate to IPsec connections.
  2. Give the tunnel a name.
  3. Add the following values for each section and enter the preshared key created in Umbrella:
General Settings & EncryptionValue
IP versionIPv4
Connection typTunnel interface
Gateway typeInitiate the connection
PolicyIPsec Policy we created in the previous step
Authentication TypePreshared key
1091 1088
Gateway settingsValue
Listening interfaceWAN interface
Local ID typeEmail
Local IDTunnel ID created in the Umbella Dashboard
Gateway addressUmbrella DC IP Address. List located here
Remote ID typeIP address
Remote IDSame IP address as Gateway address
  1. Click Save.
    You should now see the tunnel.

Note: If the Active and Connection Status are not green, click each to manually activate it.

Now that the tunnel is built, create the tunnel interface and gateway.

Tunnel Interface and Gateway

  1. Navigate to Configure Network Interfaces.
  2. Click your WAN port which will show the VPN interface xfrm1.
  3. Click the icon with 3 lines and choose Edit interface.
  4. Leave Name (xfrm1) as it is and make sure IPv4 configuration is selected.
  5. Choose a RFC1918 address that does not exist in your environment. For the netmask, choose a /30 as you only need two addresses for this point-to-point connection and click Save.
  6. Navigate to Configure > Routing > Gateways and click Add with the following:
Gateway hostValue
NameGive it meaningful name (ie UmbrellaGW)
Gateway IPGive it the second IP in the /30 from earlier. For example if you sed for the Tunnel Interface then use for the gateway
InterfaceChoose the interface we created earlier (most likely xfrm1)
ZoneChoose None. If you wish to bind this to a particular zone then you will need to make sure you have the proper firewall rules in place which is beyond the scope of this document
Health checkOFF
  1. Click Save.

SD-WAN Policy Routing

  1. Navigate to Configure Routing > SD-WAN > policy routing and click Add.
  2. Give it a meaningful Name then enter the following information:
Traffic selector& RoutingValue
Incoming InterfaceChoose the internal interface where the devices you wish to route to SIG will ingress the Sophos on
DSCP markingChoose a value if you wish but ours will be off
Source NetworksChoose the networks or hosts you wish to route down the SIG Tunnel
Destination NetworksThis will most likely be Any. You will want to make sure any other site to site tunnels for internal traffic is has priority over this tunnel.
ServicesChoose which services you want to send down the tunnel. We’ll be using Any to send all traffic
Application ObjectLeave as Any or if you only want to route specific applications, choose those applications here.
User or groupsIf you wish to route based on Users or groups, do so here. Ours will be set to Any
Primary GatewayThe gateway we created earlier
Backup GatewayThis could be a backup tunnel to SIG or another GW. For the sake of this document, we will be selecting none but feel free to choose what will work best in your environment
  1. Click Save.

Test the Configuration

Once the tunnel is up and the proper SD-WAN routing rules in place, test the tunnel with a device on the network you configured in the SDW-WAN policy.

To verify, navigate to a site such (for example, Run curl if using CLI. You should receive an IP Address in either a 146.112.x.x, 151.186.x.x, or 155.190.x.x range.

Other Resources

Sophos Route Based VPN article

Umbrella Cloud Firewall

Configure Tunnels with Google Cloud Platform IPsec < Configure Tunnels with Sophos XG IPsec > Configure Tunnels with Silver Peak