Sophos Utm Openvpn

30-04-2021
 |  [RAND-100] - Comments



Table of Contents

Requirements

There have been reported several workarounds/fixes for this, but this issue actually lies behind the NDIS driver provided by OpenVPN, which is the same client the Sophos UTM uses. How to configure a Sophos UTM for two-factor authentication. How to add two-factor authentication to a Sophos UTM - SSL VPN. How to add Two-factor authentication to Sophos UTM - L2TP VPN. Require 2FA for firewall admin. How to require two-factor authentication for admins on the Sophos UTM. How to Add Two-Factor Authentication to Apache 2.4.

Two running instances of Sophos UTM with the following basic characteristics:

  • Each Sophos appliance should have a public IP assigned to the external NIC of the appliance.
  • Each Sophos appliance should have basic configuration to serve as gateway for Internet access.
  • Either a full or trial Sophos license to be able to use the appliance's VPN features.
  • Network connectivity between these two appliances.
  • Remote Desktop, ping, or other application that can be used for testing connectivity through the tunnel.

Sample configurations used for this tutorial

Below is a sample representation of the topology to be used for this tutorial.

Sophos Utm Review

Sophos Utm Openvpn

To set up this topology, this tutorial will make use of two ProfitBricks Virtual Data Centers (VDCs). Each virtual data center is self-contained and therefore will act as two separate physical locations even though they are technically on the same physical data center.

Here are the sample networking details that will be used during this tutorial, and a screen shot for one of these VDCs. The second VDC should look identical except that we will use a different internal IP space (subnet) to avoid unnecessary NAT rules. Download adobe encoder cc 2017 for mac.

  • VDC-01 Sophos Public IP: 162.254.X.X
  • VDC-01 Sophos Internal IP: 192.168.1.1

  • VDC-01 Mgmt Server Internal IP: 192.168.1.10

  • VDC-02 Sophos Public IP: 208.94.Y.Y

  • VDC-02 Sophos Internal IP: 192.168.2.1
  • VDC-02 Mgmt Server Internal IP: 192.168.2.10

Set up the remote gateway

On your primary Sophos UTM (VDC-01), go to Site-to-Site VPN located on the left navigation menu. Then select the IPSec sub-menu option as depicted below.

Next, go to the Remote Gateways tab, click on the New Remote Gateway button, and fill out the details accordingly.

Here is a sample configuration:

Utm
  • Name: VDC-02
  • Gateway type: Initiate connection.
  • Gateway: Click the + button to create a new Host by entering the details for the VDC-02 Sophos (Public IP).
  • In this scenario, this would be the 208.94.Y.Y public IP.
  • Authentication type: Preshared key
  • Key: Enter a password to be used for the creation of the tunnel.
  • Repeat: Re-enter a password to be used for the creation of the tunnel.
  • VPN ID type: IP address
  • VPN ID (optional): (Leave blank)
  • Remote networks: Click the + button to create a new Network by entering the details for the VDC-02 internal LAN.
  • In this scenario, this would be the 192.168.2.0 range
  • Comment: VDC-02 Remote Gateway

Click the Save button

Set up the IPsec connection

The next step is to go over to the Connections tab and click on the New IPsec Connection button.

Here is the sample configuration for our scenario.

  • Name: VDC-02 Connection
  • Remote Gateway: VDC-02
  • Local interface: External (WAN)
  • Policy: AES-256 (this is a built-in policy)
  • Local Network: Internal (LAN) (Network)
  • This is done by clicking on the Folder icon and dragging and dropping the 'Network'.
  • Check the Automatic firewall rules.
  • Comments: VDC-02 IPSec Connection

Click the Save button.

Set up the secondary Sophos UTM

The primary Sophos UTM is now configured to connect to the secondary Sophos UTM. The next step is to perform the previous steps to set up the secondary Sophos UTM.

The configuration steps will be identical, but the information used (public IP, local subnet, etc.) will be different.

Verify that the Site-to-Site VPN is working

Once the second Sophos UTM is configured as described above, the tunnel should be established automatically.

You can verify this by clicking on the 'Site-to-Site VPN' on the left navigation menu as shown below.

Test the VPN tunnel

The last step is simply to test the VPN tunnel by pinging between management servers, establish a remote desktop connection or something along those lines.

STEP 1:CONFIGURING UTM

  1. Defining a user account
    • Open Definitions & Users > Users & Groups > Users
    • Click “New User” button
    • Make the following setting:
      • Username, Real name, Email address
      • Authentication: Remote Access PPTP the “local” and “RADIUS” authentication methods are supported. With “local” authentication method, you will enter two fields password and repeat
    • Click “Save”
  2. Configuring PPTP settings
    • Open Remote Access > PPTP > Global tab
    • Enable PPTP
    • Make the following settings:
      • Authentication via: Select the authentication method (local or Radius method)
      • Users and groups: When you using local authentication, please select the users or groups that should be able to use PPTP remote access.
      • Assign IP addresses by:
        • IP address pool: default IP address 10.242.1.x/24, Network is called VPN Pool (PPTP).
        • DHCP server (DHCP server Via interface)
    • Click Apply to save your settings
  3. Configuring advanced PPTP settings
    • Open Remote Access > PPTP > Advanced tab
    • Set the encryptions strength: select the encryption strength 40-bit or 128-bit

    Note: You should always set encryption to Strong (128-bit) except when your network includes endpoints that cannot support this. Both sides of the connection must use the same encryption strength.

    • Click Apply to save your settings
    • Optionally, enable debug mode => click Apply
  4. Defining Firewall Rules
    • Open Network Protection > Firewall > Rules tab
    • Click New Rule button
    • Make the following settings:
      • Sources: Add the remote host or user
      • Services: Add the allowed services
      • Destinations: Add the allowed networks
      • Action: Select Allow
    • Click Save
    • Enable the rule: clicking the status icon => status icon turns green
  5. Masquerading Rules
    • Open Network Protection > NAT > Masquerading tab
    • Click New Masquerading Rule button
    • Make the following settings:
      • Network: Select network of the remote endpoint.
      • Interface: Select interface.
      • Use address: If the interface you selected has more than one IP address assigned, you can define here which IP address is to be used for masquerading
    • Click Save
    • Enable rule
    • Optionally, activate the proxies

Sophos Client Vpn

STEP 2: CONFIGURING REMOTE CLIENT

  1. Start your browser and open the User Portal => Log in to the User Portal => go to Remotes Access lab => view information PPTP.
  2. Configuring Windows Client
    • Click Start => Control Panel
    • In the Control Panel, click Network and Internet => Network and Sharing Center => Set up a new connection or network
    • Define the dial-up Internet connection
    • Click Next
    • Enter the hostname or the IP address of the gateway => Allow other people to use this connection
    • Click Next
    • Click Create
    • Right-click the new connection and select Properties => Security => make information same picture follow:

Sophos Utm Openvpn Site-to-site

    • click OK
    • Open Network => enter username and password => Connected.

Done, Thanks for watching!