ipsec vpn for intranet

Hi Kaeyana,

An intranet is a network where organization can communicate/connect. It’s still susceptible to external threats.

While IPsec VPN is an encrypted connection. Where traffic that passes through the traffic can't be inspected.

If you want your file to be more secure while transferring, I would suggest building an IPsec VPN and restricting the communication only to the allowed person/network.

This will ensure your file is encrypted while transferring and will only be received the designated recipient(s).

one more question i did try the IPSec VPN but it's showing the following error when the network is already reachable. What could i possibly do in this case. Do i also need to make the sophos reachable in the mikrotik.

Hi Kaeyana,

IPsec VPN needs to be configured from both sites.

Kindly see below for reference

Techvids: https://soph.so/moKL3t

yes i have configured it from both sides the device on one side is sophos and other is mikrotik and sophos is configured as repond only and mikrotik as initiate but still its showing the above error

Hi Kaeyana,

Can you check your gateway configuration? 

Also, is your Remote Gateway set to a private IP? You need to configure it as the Public IP of the other side and vice versa

The remote id is set to * so that i don't need to add the ip address

Hi Kaeyana,

Kindly specify the Public IP of  the Remote Gateway and not as a wildcard 

For reference:

Sophos XG IPsec Configuration (Responder Only)

Local Gateway - WAN Interface

Remote Gateway - Remote End device Public IP address

Remote End device IPsec Configuration  (Initiate the tunnel)

Local Gateway - WAN Interface

Remote Gateway -  Remote End device Public IP address

For more reference kindly check the following

KB: https://soph.so/Tjc9qA

Techvids: https://soph.so/moKL3t

The end device has the dynamic ip so can't specify one so can i just use the intranet static ip since the intranet is connected anyway to the router from sophos

Hi Kaeyana,

I see. Thank you for the information. 

• Kindly make sure that configuration settings and IPSEC policy configured is proper and no mismatch in authentication and encryption parameters at both ends.

• Check logs for both site
• If possible can you share the log details in /log/strongswan.log.
• Check DNAT rule that includes services (udp 500/4500 Proto 50)