Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Route system-generated authentication queries through an IPsec tunnel

You can route traffic generated by Sophos Firewall through a policy-based or route-based VPN tunnel.

For example, you can route the branch office firewall's authentication queries to the AD server deployed in the head office through an IPsec tunnel.

Overview

An IPsec VPN tunnel connects the head office and the branch office firewalls.

System-generated traffic uses a gateway listed on Network > WAN link manager by default. You can ensure that this traffic uses an IPsec tunnel. This example shows how to use policy-based and route-based tunnels for the traffic.

For policy-based IPsec tunnels, do as follows on the branch office firewall:

  • Add an IPsec route for system-generated traffic to the AD server.
  • Translate (source NAT) the branch office gateway addresses to a LAN or WAN interface for authentication queries to the AD server's address. In this example, we use a LAN interface.
  • Check the local and remote subnets in your policy-based IPsec configuration for the LAN or WAN interface you've used in the translation.

For route-based IPsec tunnels, do as follows:

  • Translate (source NAT) the branch office gateway addresses to the XFRM interface for authentication queries to the AD server's address. Do this on the branch office firewall.
  • Configure an SD-WAN route to send authentication queries to the XFRM interface. Do this on the branch and head office firewalls.
  • Configure inbound and outbound firewall rules on the head office firewall.

The configuration details are examples based on the following network diagram:

IPsec route for AD server network diagram.

Prerequisite: Configure an IPsec VPN tunnel

You must have one of the following VPN configurations on both firewalls:

You must configure the following IP hosts on both firewalls:

  • AD server (example: 10.10.1.15)
  • Branch office LAN interface (example: 10.10.1.1)
  • XFRM interface addresses (example: 3.3.3.3 and 3.3.3.4)

You must add an IPsec route and translate the gateway addresses on the branch office firewall.

Branch office: Add an IPsec route

Do as follows:

  1. Sign in to the CLI of the branch office firewall.
  2. Enter 4 for Device console and press Enter.
  3. To add an IPsec route that sends system-generated traffic to the AD server through an IPsec connection, enter the following command:

    system ipsec_route add host <IP address of host> tunnelname <tunnel>
    

    Example

    system ipsec_route add host 10.10.2.15 tunnelname Branch_to_HeadOffice

Translate the addresses of gateways system-generated traffic uses

Do as follows:

  1. Translate the branch office firewall's gateway addresses to a LAN interface address for authentication queries to the AD server at the head office.

    Enter the following command:

    set advanced-firewall sys-traffic-nat add destination <Destination or network IP address> snatip <NATed IP>
    

    Example

    set advanced-firewall sys-traffic-nat add destination 10.10.2.15 snatip 10.10.1.1

  2. Make sure you've selected the translated LAN interface as a local and remote subnet in the corresponding branch and head office IPsec configurations.

You can use a route-based tunnel with any-to-any subnets.

Branch office: Add an SD-WAN route

  1. Go to Routing > SD-WAN routes and click Add.
  2. Enter a Name.
  3. Set Source networks to Any.
  4. Set Destination networks to the IP host for the AD server. To configure the IP host, do as follows:
    1. Click Add new item and clear Any.
    2. Click Add and enter a Name.
    3. For IP address, enter 10.10.2.15
    4. Click Save.
  5. For Services, create an object for TCP port 636 (the default port for secure AD and LDAP authentication).

    Do as follows:

    1. Click Add new item and clear Any.
    2. Click Add and click Services.
    3. Enter a Name.
    4. For Destination port, enter 636.
    5. Click Save.

      SD-WAN port in branch office.

  6. Under Link selection settings, select Primary and backup gateways.

  7. Click the drop-down list for Primary gateway and click Add.
  8. Do as follows:

    1. Enter a name.
    2. For Gateway IP, enter the head office XFRM IP address (3.3.3.3).
    3. For Interface, select the XFRM interface you've configured on this firewall (example: xfrm1_3.3.3.4).

      SD-WAN XFRM gateway in branch office.

    4. If you want Health check on, for Monitoring condition, enter the AD server's IP address (10.10.2.15).

      SD-WAN healthcheck settings in branch office.

  9. Select Route only through specified gateways.

    The firewall then drops traffic if the tunnel isn't available.

  10. Click Save.

Branch office: Turn on ping through VPN

  1. Go to Administration > Device access.
  2. Under Ping/Ping6, select the checkbox for VPN.
  3. Click Apply.

Branch office: Translate the gateway used by default

Translate (source NAT) the branch office firewall's gateway addresses to the XFRM interface address for system-generated traffic to the head office AD server.

Enter the following command:

set advanced-firewall sys-traffic-nat add destination <Destination or network IP address> snatip <NATed IP>

Example

set advanced-firewall sys-traffic-nat add destination 10.10.2.15 snatip 10.10.1.1

Head office: Add an SD-WAN route

  1. Go to Routing > SD-WAN routes and click Add.
  2. Enter a Name.
  3. Set Source networks to the IP host for the AD server (10.10.2.15).
  4. Set Destination networks to the IP host for the LAN interface to which you've translated on the branch office firewall (10.10.1.1).
  5. For Services, create an object for TCP port 636 (the default port for secure AD and LDAP authentication.)

    Do as follows:

    1. Click Add new item and clear Any.
    2. Click Add and click Services.
    3. Enter a Name.
    4. For Destination port, enter 636.
    5. Click Save.

    SD-WAN settings in head office.

  6. Under Link selection settings, select Primary and backup gateways.

  7. Click the drop-down list for Primary gateway and click Add.
  8. Do as follows:

    1. Enter a name.
    2. For Gateway IP, enter the branch office XFRM IP address (3.3.3.4).
    3. For Interface, select the XFRM interface you've configured on this firewall (example: xfrm1_3.3.3.3).

      SD-WAN XFRM gateway in head office.

    4. If you want Health check on, for Monitoring condition, enter an IP address in the branch office LAN (10.10.1.10).

      SD-WAN healthcheck settings in head office.

  9. Select Route only through specified gateways.

    The firewall then drops traffic if the tunnel isn't available.

  10. Click Save.

Head office: Turn on ping through VPN

  1. Go to Administration > Device access.
  2. Under Ping/Ping6, select the checkbox for VPN.
  3. Click Apply.

Head office: Outbound firewall rule

Configure a firewall rule to allow outbound traffic on the head office firewall. This allows the AD server to send its replies through the route-based VPN tunnel.

Select the following:

  1. Source zones: DMZ
  2. Source networks and devices: ADServer
  3. Destination zones: VPN
  4. Destination networks: BO_LAN
  5. Services: AD_LDAP
  6. Click Save.

    Here's an example:

    Outbound firewall rule for AD server in head office.

Head office: Inbound firewall rule

Configure a firewall rule to allow inbound traffic on the head office firewall. Authentication queries received through the route-based VPN tunnel are then sent to the AD server.

Select the following:

  1. Source zones: VPN
  2. Source networks and devices: BO_LAN
  3. Destination zones: DMZ
  4. Destination networks: ADServer
  5. Services: AD_LDAP
  6. Click Save.

    Here's an example:

    Inbound firewall rule for DHCP server in head office.