How to connect GNU/Linux IPSec VPN Client (NetworkManager) to Sophos XG Firewall
+--------------------------
| Solution Finding
Sophos XG Firewall IPSec <-> NetworkManager/libreswan = not working (modecfg IP request timeout)
Sophos XG Firewall Cisco VPN Client <-> NetworkManager/vpnc = not working (not compatible - Group ID/IPSec ID)
Sophos XG Firewall Cisco VPN Client <-> NetworkManager/libreswan = working!
+--------------------------
| Sophos GX Firewall
CONFIGURE -> VPN -> Cisco VPN Client:
1. General Settings
Cisco VPN Client: Enable
Interface: select WAN Port
Authentication Type: Preshared Key
Preshared Key: **************************
Local ID: no selection
Remote ID: no selection
Allowed User: select user(s), e.g. vpnusr
- to add user(s) see: Configure->Authentication0->Users
2. Client Information
Name: CiscoVPN (or any other)
Assign IP from: x.y.z.a1 - x.y.z.a2 (insert desired range)
DNS Server 1: IP address of the first DNS Server
DNS Server 2: IP address of the second DNS Server
3. press Apply
+--------------------------
| Network Manager / libreswan
1. install libreswan plugin for NetworkManager (dnf, yum, apt,...)
NetworkManager-libreswan-gnome
NetworkManager-libreswan
libreswan
2. initiate libreswan
systemctl start ipsec
systemctl enable ipsec
systemctl restart NetworkManager
3. Network -> AddVPN (+)
Choose a VPN Connection Type: IPSec based VPN
4. Editing VPN Connection:
Connection Name: SophostVPN (or another one...)
VPN tab -> Identity:
Gateway: IP/hostname of Sophos XG WAN Port
User name: vpnusr
User password (Saved): ...user_password...
Group name: blank
Group password: ...pre_shared_key...
VPN tab -> IPv4 and IPv6:
...set required setting
Note: switch "Use this connection only for resources in its network" is not working
(independently of the switch state, this option is always off)
+--------------------------
| VPN Test
Verify that packets are being sent via the VPN tunnel:
tcpdump -n -i interface esp or udp port 500 or udp port 4500