Sophos UTM and Cisco IOS IPsec VPN


Today I’ll discuss doing a simple IPsec site-to-site VPN tunnel between a Sophos UTM and an IOS based Cisco 7200VXR series router. This example will be using Sophos UTM 9.3 and Cisco IOS 15 with the adventerprisek9 image.

Here’s the related running configuration of the Cisco router’s VPN settings:

access-list 101 permit ip
crypto isakmp policy 5
   encr aes 256
   hash sha512
   authentication pre-share
   group 5
   lifetime 28800
crypto isakmp key mysecretkey address
crypto ipsec transform-set SophosUTM esp-aes 256 esp-sha512-hmac
crypto map SophosUTM 5 ipsec-isakmp
   set peer
   set transform-set SophosUTM
   set pfs group5
   match address 101
interface FastEthernet0/0
   crypto map SophosUTM

The above reflects the Cisco’s local network as and the remote network as The Phase I/II encryption is set to AES 256 and SHA512 using a pre-shared key. IKE DH group is set to 5, and PFS is also enabled with DH group 5. The IKE SA lifetime has been set to 28800 and IPsec SA lifetime set to 3600. The Sophos UTM and Cisco router are both on the network with FastEthernet0/0 having the IP. Now let’s configure the Sophos UTM side of the tunnel.

Step 1 – Create your policy


This part is pretty straight-forward. Simply select all of the same options for your Phase I/II settings as the Cisco configuration, and give your policy a relevant name.

Step 2 – Remote Gateway


Create a new remote gateway with a descriptive name. Since our Cisco router’s IP isn’t subject to change, we can keep the type as “Initiate connection” instead of using “Respond only.” Enter the IP address of the remote gateway as a network object and enter your pre-shared key. You’ll also need to create a network object defining as the remote network.

Step 3 – Create the connection


Seen above, select the remote gateway and policy you created in the earlier steps. The IP address for this example is attached to the “Internal” interface on our Sophos UTM. In most cases you’d be using your external interface for VPN tunnels. If you don’t already have a network object created for your local network you’ll need to also add that.

Does it work?


Everything seems to check out on the Sophos UTM side. Now let’s verify on the Cisco side.

C7200VXR# sh crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: port 500
IKEv1 SA: local remote Active
IPSEC FLOW: permit ip
Active SAs: 2, origin: crypto map

You can also run sh crypto sa for much more detailed information.


You may also like...

1 Response

  1. December 30, 2015

    […] Source : Sophos UTM and Cisco IOS IPsec VPN – OMGWTFBBQ! […]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.