Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-IPsec-firewall-behind-router

IPsec VPN with firewall behind a router

You can configure IPsec VPN connections between firewalls behind a router.

In this example, the head office firewall is behind a router and doesn't have a public IP address. You must configure the following at the head office and the branch office:

  1. Firewall prerequisite: Configure IP hosts for the local and remote subnets.
  2. Configure the IPsec VPN connection.
  3. Check the firewall rules.
  4. Allow access to services.
  5. Configure the router settings.
  6. Check connectivity.
  7. Check the logs.

Here's an example network diagram:

Network diagram for NAT traversal.

Configure the head office firewall

Configure the IPsec connection and firewall rules.

Add an IPsec connection

Create and activate an IPsec connection at the head office.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Select Activate on save.
  4. Select Create firewall rule.
  5. For Connection type, select Policy-based.

  6. For Gateway type, select Respond only.

    Here's an example:

    General settings.

  7. For Profile, select Head office (IKEv2).

  8. For Authentication type, select Preshared key.

  9. Enter a key and confirm it.

    Here's an example:

    Encryption settings.

  10. For Listening interface, select the local firewall's WAN port (example: 10.10.10.2).

  11. For Gateway settings, enter the remote firewall's WAN port (example: 203.0.113.10).
  12. For Local subnet, select the IP host you've created for 192.168.2.0.
  13. For Remote subnet, select the IP host you've created for 192.168.3.0.

  14. Click Save.

    Here's an example:

    Gateway settings.

Check the firewall rules

When you save the IPsec connection, the firewall automatically creates inbound and outbound firewall rules. They allow traffic between the head and branch offices.

To see the firewall rules, go to Rules and policies > Firewall rules and click the Automatic VPN rules rule group. You'll see two firewall rules named Incoming HQ_to_Branch and Outgoing HQ_to_Branch.

HQ to branch automatic firewall rule.

Note

If you already have a firewall rule to allow inbound VPN traffic, you can add the remote subnet to its Source networks and devices and the local subnet to Destination networks. You don't need to create an independent firewall rule for each IPsec connection.

Allow access to services

  1. Go to Administration > Device access.
  2. Under IPsec, select WAN.

  3. Under Ping/Ping6, select VPN.

    Users can ping the firewall's IP address through the VPN to check connectivity.

  4. Click Apply.

Configure your router settings

Do as follows:

  1. Make sure you configure a DNAT rule on the router to allow the VPN traffic.

    1. Set the original destination to the router's WAN interface (example: 203.0.113.1).
    2. Set the translated destination to the local firewall's WAN interface (example: 10.10.10.2).

  2. Allow the following services:

    1. UDP port 500
    2. UDP port 4500
    3. IP protocol 50

Configure the branch office firewall

Configure the IPsec connection and firewall rules.

Add an IPsec connection

Create and activate an IPsec connection at the branch office.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Select Activate on save.
  4. Select Create firewall rule.
  5. For Connection type, select Policy-based.

  6. For Gateway type, select Initiate the connection.

    Here's an example:

    General settings.

  7. For Profile, select Branch office (IKEv2).

  8. For Authentication type, select Preshared key.

  9. Enter a key and confirm it.

    Here's an example:

    Encryption settings.

  10. For Listening interface, select the local firewall's WAN port (203.0.113.10).

  11. For Gateway settings, enter the head office router's WAN port (203.0.113.1).
  12. For Local subnet, select the IP host you've created for 192.168.2.0.
  13. For Remote subnet, select the IP host you've created for 192.168.3.0.

  14. Click Save.

    Gateway settings.

Check the firewall rules

When you save the IPsec connection, the firewall automatically creates inbound and outbound firewall rules. They allow traffic between the head and branch offices.

To see the firewall rules, go to Rules and policies > Firewall rules and click the Automatic VPN rules rule group. You'll see two firewall rules named Incoming Branch_to_HQ and Outgoing Branch_to_HQ.

HQ to branch automatic firewall rule.

Note

If you already have a firewall rule to allow outbound VPN traffic, you can add the local subnet to its Source networks and devices and the remote subnet to Destination networks.

Allow access to services

  1. Go to Administration > Device access.

  2. Under Ping/Ping6, select VPN.

    Users can ping the firewall's IP address through the VPN to check connectivity.

  3. Click Apply.

Check the connectivity

Check the VPN connectivity between the head office and the branch office.

  • Head office firewall: Ping the branch office subnet. For example, on Windows, type the following command at the command prompt: ping 192.168.3.0
  • Branch office firewall: Ping the head office subnet. For example, on Windows, type the following command at the command prompt: ping 192.168.2.0

Check the logs

The head office firewall's logs show that it's detected a NAT device in front of it.

The branch office firewall's logs show that it's detected a NAT device in front of the head office firewall.