A. Prepare Axcient Virtual Office for Sophos

Before you work with the Sophos firewall, first enable port forwarding and IPsec VPN within your Virtual Office

Note: You may also perform these steps within a Runbook (to simplify testing and live cloud failover events.)

• First, open your Virtual Office.
• Next, enable port forwarding.
• Finally, configure IPsec VPN within your Virtual Office. 

Important: Once you have configured IPsec VPN, please make a note of (a) the randomly generated pre-shared SECRET KEY (password) which was generated for you, as well as (b) the LOCAL IPSEC ID address you configured to use for IPsec VPN.

You will need this information later in this process:

B. Configure Your Sophos firewall for IPsec VPN

2.0. Add the Local LAN object

2.1. Login to your firewall.

2.2. Go to System->Hosts and Services-IP Host and click Add to create the local LAN object.

2.3. Enter a friendly Name for the LAN object (i.e. HQ_LAN)

2.4. Set IP Version to IPv4

2.5. Set Type to Network

2.6. Set IP address to the Local LAN subnet address (i.e. 172.16.18.0)

2.7. Set Subnet to the Local LAN subnet mask (i.e. /24 255.255.255.0 )

2.8. Click Save to continue.

3.0. Create Remote LAN object

3.1. Repeat the steps above to create the network object for the Virtual Office LAN network.  

3.2. For IP address and Subnet, use the Virtual Office Gateway network and subnet defined in your Virtual Office.  

For example, if you specified 172.16.2.254 for the gateway address with a subnet of 255.255.255.0, you would specify 172.16.2.0 with a subnet of ‘/24 255.255.255.0’

4.0. Create an IPsec VPN connection policy

4.1. Go to Configure->VPN->IPsec policies and click Add

4.2. Enter a friendly Name for the object (For example: Axcient_VPN_Policy)

4.3. Set Key Exchange to IKEv2

4.4. Set Authentication Mode to Main Mode

4.5. Set Key Negotiation Retries to 0

4.6. Select Re-key Connection

4.6.1. Under Phase 1 set the following:

• Set Key life to 3600
• Set Re-key margin to 360
• Set Randomize re-keying margin by to 100
• Set DH Group to 14 (DH2048)
• Set Encryption to AES
• Set Authentication to SHA384

4.6.2. Under Phase 2 set the following:

• Set PFS Group (DH Group) to same as phase-1
• Set Key life to 3600
• Set Encryption to AES
• Set Authentication to either SHA256, SHA384, or SHA512
• Set Dead Peer Detection to enabled
• Set Check peer after every to 30 seconds
• Set Wait for response up to to 120 seconds
• Set when peer unreachable to Re-initiate

4.7. Click Save to continue

5.0 Create IPsec Connection

5.1. Go to Configure->VPN-IPsec connections and click Add

5.2. Enter a friendly name for the connection, like ‘Axcient_Virtual_Office’

5.3. Set IP version to IPv4

5.4. Set Connection Type to site-to-site

5.5. Set Gateway type to initiate the connection

5.6. Check the box by Activate on save to select

5.7. Check the box by Create firewall rule to select

5.8. Under Encryption,  set Policy to the policy you created above, i.e. ‘Axcient_VPN_Policy’

5.9. Set Authentication to Preshared Key

5.10. Enter the pre-shared key from your Virtual Office in both Preshared key fields:

6.0 Create gateway settings

6.1. Under Gateway Settings->Local Gateway

6.2. Set Listening Port to your WAN port, i.e. PortB, etc.

6.3. Set Local Subnet to your Local LAN object created above

6.4. Under Gateway Settings->Remote Gateway

• Set Gateway Address to the Virtual Office Public IP address (LOCAL IPSEC ID)
• Set Remote Subnet to the Virtual Office LAN network created above
• Under Advanced set User authentication mode to None

6.5. Click Save to continue.

The IPsec connection is automatically activated and an automatic firewall rule is also created.

C. Verify your connection

To test your connection, open a Windows CMD shell and ‘ping’ the Virtual Office gateway address.

SUPPORT | 720-204-4500 | 800-352-0248

• Contact Axcient Support at https://partner.axcient.com/login or call 800-352-0248
• Free certification courses are available in the Axcient x360Portal under Training
• To learn more about Axcient products, sign up for a free one-on-one training
• Subscribe to the Axcient Status page for status updates and scheduled maintenance

1430