Site-to-site tunnel between Ubiquiti Edgerouter X and Sophos XG firewall
I recently purchased Edgerouter X to serve as a router and as a firewall for our network at our summer house.
Previously I had Raspberry Pi acting as a endpoint for VPN tunnel but it only allowed me to access resources from home network to summer house. But not the other way around as Raspberry Pi were not acting as a gateway.
Edgerouter is connected to Zyxell LTE7460 4G modem which is set to bridge mode so that Edgerouter gets a static public IP.
Setting up IPsec tunnel seemed straightforward, but after playing around some time in Edgerouters GUI I ended up setting up connection via command line instead. GUI on Edgerouter is really limited and most “advanced” settings has to be done via command line.
To be able to change settings on Edgerouter you’ll need to enter configuration mode by entering configure in edgerouter cli.
Linux cabin-router 4.14.54-UBNT #1 SMP Tue May 11 13:23:28 UTC 2021 mips
Welcome to EdgeOS
admin@cabin-router:~$ configure
[edit]
admin@cabin-router#
Next I created phase 1 & 2 policies for the IPsec VPN negotiation. As usually select strong encryption with at least AES256+SHA256 and DH-Group 14.
set vpn ipsec esp-group ESP_Phase1 compression 'disable'
set vpn ipsec esp-group ESP_Phase1 lifetime '5400'
set vpn ipsec esp-group ESP_Phase1 mode 'tunnel'
set vpn ipsec esp-group ESP_Phase1 pfs 'enable'
set vpn ipsec esp-group ESP_Phase1 proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP_Phase1 proposal 1 hash 'sha256'
set vpn ipsec ike-group ESP_Phase2 ikev2-reauth 'yes'
set vpn ipsec ike-group ESP_Phase2 key-exchange 'ikev2'
set vpn ipsec ike-group ESP_Phase2 lifetime '5400'
set vpn ipsec ike-group ESP_Phase2 proposal 1 dh-group '14'
set vpn ipsec ike-group ESP_Phase2 proposal 1 encryption 'aes256'
set vpn ipsec ike-group ESP_Phase2 proposal 1 hash 'sha256'Create IPsec policy on Sophos XG with same settings
Create VPN connection on Edgerouter. I have static IP on Edgerouter (80.xx.xxx.xxx) side and on Sophos side I am using dynamic DNS (vpn.yourdomain.com) Also select strong secret (32 letters limit on Sophos XG). Edgerouters local network is 10.100.1.0/24 and on Sophos 10.100.2.0/24. Replace these accordingly.
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec site-to-site peer vpn.yourdomain.com authentication id '80.xx.xxx.xxx'
set vpn ipsec site-to-site peer vpn.yourdomain.com authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer vpn.yourdomain.com authentication pre-shared-secret 'yoursupersecretpasswordgoeshere'
set vpn ipsec site-to-site peer vpn.yourdomain.com authentication remote-id 'vpn.yourdomain.com'
set vpn ipsec site-to-site peer vpn.yourdomain.com connection-type 'initiate'
set vpn ipsec site-to-site peer vpn.yourdomain.com default-esp-group 'ESP_Phase1'
set vpn ipsec site-to-site peer vpn.yourdomain.com ike-group 'ESP_Phase2'
set vpn ipsec site-to-site peer vpn.yourdomain.com ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer vpn.yourdomain.com local-address '80.xx.xxx.xxx'
set vpn ipsec site-to-site peer vpn.yourdomain.com tunnel 2 allow-nat-networks 'disable'
set vpn ipsec site-to-site peer vpn.yourdomain.com tunnel 2 allow-public-networks 'disable'
set vpn ipsec site-to-site peer vpn.yourdomain.com tunnel 2 esp-group 'ESP_Phase1'
set vpn ipsec site-to-site peer vpn.yourdomain.com tunnel 2 local prefix '10.100.1.0/24'
set vpn ipsec site-to-site peer vpn.yourdomain.com tunnel 2 remote prefix '10.100.2.0/24'
Run commit & save to save configuration
commit;saveCreate IPsec VPN connection on Sophos XG using policy we created earlier.
Edgerouter only enables tunnel when there is traffic going trough to remote addresses.
If you want to keep tunnel open you can create script that pings remote device.
Create simple script called ipsec_keepalive.sh
#!/bin/bash
#ping other side of the tunnel
/bin/ping -c 10 10.100.2.10 > /dev/null 2>&1Save this script to /config/scripts on Edgerouter. Make script executable by issuing command
chmod +x /config/scripts/ipsec_keepalive.sh Now set this script to be executed every couple minutes.
configure
set system task-scheduler task ipsec_keepalive executable path /config/scripts/ipsec_keepalive.sh
set system task-scheduler task ipsec_keepalive interval 2m
commit;saveNow tunnel will be always up even when there is no real traffic coming from Edgerouter side.
If you want to manage Edgerouter over newly created VPN tunnel you can enable management by issuing following commands
configure
set vpn ipsec allow-access-to-local-interface enable
commit;saveRemember to create necessary firewall rules on both ends to allow traffic to actually flow between networks.
While you are on it set your Edgerouter to filter out adds and malicious websites using dnsmasq by using Brittanics wonderful package: https://community.ui.com/questions/DNS-Adblocking-and-Blacklisting-dnsmasq-Configuration-Integration-Package-v1-2-4-5/eb05f1b2-5316-4a80-8221-5e8b02575da4
Also make yourself a favor and set DNS servers on Edgerouter and Sophos to Quad9’s filtered DNS servers to make your network little bit safer: https://www.quad9.net/
Hi,
can you please advice on my Sophos XG – Edgerouter VPN setup. Somehow it doesnt connect. I am new to Ipsec VPN, feel free to respond here https://community.ui.com/questions/Edgerouter-Sophos-XG-as-Site-to-Site-VPN/21ca7cf5-ef64-4d21-b79b-125adbcdf3b1
Hi, I would start debugging by checking /var/log/charon.log on Edgerouter.