Cisco Router IPSec VPN with Dynamic IP address

Last month, I worked on an IPSec VPN site-to-site connection project between the Sophos XG firewall and Cisco routers that connect more than 50 branches. Where both ends have a dynamic public IP address. I am not willing to share the configuration of the Sophos XG router or firewall, but I am willing to share a dynamic IP address solution for the IP address.

Technical Details:  Sophos XG is installed in the client's central office with a dynamic public IP address (which will resolve to FQDN) and also the Cisco router installed with a dynamic public IP address in branches. We plan to redirect all traffic in the central office for the intranet and internet for the implementation of security policies.

Issue: Both Headoffice and remote sites have a dynamic public IP address, so routers could not connect VPN after changing the IP address in Sophos XG (Headoffice). We use a DynDNS in the central office only due to budget constraints and simplify the administrative process.

Root cause: Cisco has a predefined method to resolve DDNS only once during configuration. If you set up IPSec VPN with an FQDN as the "set target peer" command but the show run command shows the IP address instead of the name. This is because the resolution occurs only once:


How we solved the problem: there is a simple method to solve this problem since your router must resolve the FQDN from time to time, so we plan to use the EEM scripts. Here, the client also added some additional requirements, as it must obtain the IP address of the interface when connecting or disconnecting the VPN services of each Cisco router.

Then, we had chosen an additional and fast method to detect inactive VPN and erase peer SAs and update the FQDN at a specific interval. We use the EEM and IP SLA script for the same as:

ip sla 2

icmp-echo 10.100.1.90 source-ip 10.100.119.90    

threshold 300

timeout 600

frequency 2

ip sla schedule 2 life forever start-time now

!

track 2 ip sla 2 reachability

!

Here, 10.100.1.90 is the IP address of the central office and 10.100.119.90 is the IP address of the LAN interface of the branch office router.

 

event manager environment _email_to notify@xyz.net

event manager environment _email_from notify@xyz.net

event manager environment _email_server mail.xyz.net

!

event manager applet IPSec_Down

event syslog pattern "%TRACK-6-STATE: 2 ip sla 2 reachability Up -> Down"

action 1.0 cli command "enable"

action 1.5 cli command "clear crypto isakmp"

action 1.6 cli command "clear crypto sa"

action 2.0 cli command "config t"

action 2.5 cli command "crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp "

action 2.9 cli command "set peer sophos.xyz.co"

action 3.0 cli command "end"

action 4.5 syslog priority notifications msg "VPN failed at Brach1"

!

Here, you can see that we are detecting the status of the track and once it detects that it is inactive, the router will execute some commands to clear the existing Phase 1 and 2 tunnels and add a new DYDNS name under the crypto map. It will help us deactivate the VPN immediately after the IP SLA fails without the wait for a timeout.

 

event manager applet NEW_DNS_Update

event timer watchdog time 120

action 1.0 cli command "enable"

action 1.5 cli command "config t"

action 2.0 cli command "crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp "

action 2.5 cli command "set peer sophos.xyz.co"

action 3.0 cli command "end"

action 4.5 syslog priority notifications msg "DNS_Updated_IPSEC"

!

Here, we are updating the FQDN every 120 seconds so that the router has updated the DYDNS resolution.

 

event manager applet IP_Change_Down

event syslog pattern "%TRACK-6-STATE: 2 ip sla 2 reachability Up -> Down"

action 1.0 cli command "enable"

action 3.6 cli command "sho ip interface brief | exclude unassigned"

action 4.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN & IP address failed at Brach1" body "$_cli_result"

action 4.5 syslog priority notifications msg "VPN down & IP at Branch1 mail sent"

!

Somehow, if the VPN goes down, the client will receive the public IP address of the router. If necessary, you can access the router using the public IP address (do not worry, we have taken some additional steps for SSH security).

 

event manager applet IP_Change_up

event syslog pattern " %TRACK-6-STATE: 2 ip sla 2 reachability Down -> Up"

action 1.0 cli command "enable"

action 3.6 cli command "sho ip interface brief | exclude unassigned"

action 4.0 mail server "$_email_server" to "$_email_to" from "$_email_from" subject "$_event_pub_time: VPN up & IP address at Branch1" body "$_cli_result"

action 4.5 syslog priority notifications msg "VPN up & IP Branch1 mail sent"

!

Once the VPN will restore then the client will also receive the router's public IP address.

 

Sophos XG VPN issue with FortiGate and Sophos SG Devices

Last week, my customer has raised a case with us. He is using a site to site IPSec VPN between Sophos XG and Sophos SG devices. The tunnel was not getting up. After verifying logs on the XG device, we found the root cause as Local and Remote ID mismatch. But How? Because we can't change Local ID on the SG devices so there was no Remote ID was assigned on the XG firewall.

I remember that same issue I faced between FortiGate and Sophos XG devices.

Let's come on the issue, finding and resolution.

Case 1: IPSec VPN between SG and XG firewall.
Finding/Root Cause: As XG firewall was showing Remote ID mismatch error so I started investigating the issue was found as SG firewall was sending Its LOCAL ID as It's WAN IP address but As Sophos XG firewall was having remote gateway as DYDNS address so XG was looking remote ID as the same DYDNS address.

Sophos SG Configuration: 
Remote Gateway: DYDNS address of the XG firewall.
Local & Remote ID: not enabled.

Sophos XG Configuration:
Remote Gateway: DYDNS address of the SG Firewall
Local & Remote ID: not enabled.

Here Point to be noted we had not enabled the Remote ID/Local ID on the XG and SG firewall. But still, Sophos XG firewall was looking to match remote ID.

I found some tricky solution as If I will assign Remote ID 0.0.0.0 on the XG firewall then tunnel getting UP. I had discussed with the Sophos tech team about remote ID 0.0.0.0 and meaning of it. He told me that avoids assigning 0.0.0.0 as remote ID it means you are going to accept any remote ID for this tunnel means you really don't care about the Remote ID (remote device local ID).

I checked on the SG firewall, gone through the configuration guide and found that we can't change LOCAL IPSec VPN ID on the SG firewall and it was the default behavior of the box.

Issue Resolved: As Customer has configured XG firewall in respond mode, So there is no such requirement to configure remote Gateway so I changed to the any. We also disabled the remote ID on the XG firewall. Due to the respect of the customer security concern, I enabled Local ID on the XG firewall and Remote ID was also enabled on the SG firewall. Wow VPN getting UP.

Case 2: IPSec VPN between Fortigate and XG firewall
Finding/Root Cause: Here, The Fortigate was having a dynamic WAN IP address but Sophos was configured with Static public IP address. So the Customer configured a DYDNS on the Fortigate and was trying to establish IPSec VPN between both devices.

Fortigate Configuration: 
Remote Gateway: Public IP of the XG firewall.
Local & Remote ID: not enabled.

Sophos XG Configuration:
Remote Gateway: DYDNS address of the Fortigate Address
Local & Remote ID: not enabled.

Here Point to be noted we had not enabled the Remote ID/Local ID on the XG and FortiGate firewall. But still, Sophos XG firewall was looking to match remote ID with DYDNS address of the FortiGate firewall. But FortiGate was sending Local ID as WAN Interface IP address.

Issue Resolved: I had login in the Fortigate device and changed Local ID as it's DYDNS address in the VPN configuration portal.  Wow... The issue was resolved.

Here I have a concern about Sophos XG/Strongswan VPN architecture that If you had disabled the Remote ID then why it is still looking remote ID must be matched if you had configured Remote gateway as DYDNS address of the remote device?
Maybe it is part of the security but not sure. There are no such clear documents on the Sophos website for the same.

Let's move forward and resolve the issue while I will try to get an answer from the Sophos team.

Are you planning for CCNP before February 23, 2020?

As we all are aware of recent changes in the Cisco certifications. This is a big change in the Cisco Education/Learning module from the last few years. If you are looking CCNP certification before this changes then you are not an alone person in the queue, I am also in the same queue. Recently I cleared CCNP Switch 300-115 certificate in the first attempt. Now I am busy in next certificate as CCNP Route 300-101 and I found the best place (www.ucertify.com) where everything is a well-organized, study planner, simple and easy language, Quizzes and flashcards on each topic at end of each lesson. Really I like its Exercises option and it is best for the exam preparation and interviews.

As you are studying CCNP so you need topics with a technical deep dive for a future interview, planning, and troubleshooting of a network. This is a negative point for this course but this course is designed for CCNP route exam so it is ok. Overall I am very happy with the course. I hope you will also enjoy this course and it is here: https://www.ucertify.com/exams/ccnp-route-300-101.html

I feel that adding certifications in your resume will open more opportunity and good salary hike. Here, I do not ignore experience and knowledge of technology but certification is an addon. As www.ucertify.com is simplifying things for exam and interview preparation. Best of luck for your certification and career.

How Sophos XG firewall handling IPSec VPN Pre-shared Keys

I am wondering that How to Sophos XG firewall is handling Preshared key for IPSec VPN.  I configured more than 100 XG firewalls and VPN but never minded. Today I am going to implement 49 VPNs (Site to Site) on XG 210 on 17.5 GA version.




It is handling based on Local and Remote gateway address.
 
 For easy undersatding, You have configured two VPN with Local gateway is your WAN interface and Remote gateway will be * (any) for both connections. In this condition your Pre-Shared key must be same on both VPN connection configuration. There is no matter that your LOCAL ID, Remote ID, Local Subnet, Remote Subnet etc are different. If you will chenge a preshared key on one VPN tunnel configuration then it will autometically update on both VPN tunnel interfaces. 

I think, Sophos must be think about this process. It will making more difficulty then XG firewall in only "Responder".