<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Hướng dẫn cấu hình IPsec VPN Site to site failover giữa Sophos XGS và Sophos UTM (SG) Firewall &#8211; Thegioifirewall</title>
	<atom:link href="https://thegioifirewall.com/tag/huong-dan-cau-hinh-ipsec-vpn-site-to-site-failover-giua-sophos-xgs-va-sophos-utm-sg-firewall/feed/" rel="self" type="application/rss+xml" />
	<link>https://thegioifirewall.com</link>
	<description>Tường lửa bảo vệ doanh nghiệp, trung tâm thông tin và giá cả</description>
	<lastBuildDate>Mon, 28 Feb 2022 08:21:32 +0000</lastBuildDate>
	<language>vi</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://thegioifirewall.com/wp-content/uploads/vacif_icon-150x150.png</url>
	<title>Hướng dẫn cấu hình IPsec VPN Site to site failover giữa Sophos XGS và Sophos UTM (SG) Firewall &#8211; Thegioifirewall</title>
	<link>https://thegioifirewall.com</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Hướng dẫn cấu hình IPsec VPN Site to site failover giữa Sophos XGS và Sophos UTM (SG) Firewall</title>
		<link>https://thegioifirewall.com/huong-dan-cau-hinh-ipsec-vpn-site-to-site-failover-giua-sophos-xgs-va-sophos-utm-sg-firewall/</link>
					<comments>https://thegioifirewall.com/huong-dan-cau-hinh-ipsec-vpn-site-to-site-failover-giua-sophos-xgs-va-sophos-utm-sg-firewall/#respond</comments>
		
		<dc:creator><![CDATA[TrungNghia]]></dc:creator>
		<pubDate>Mon, 28 Feb 2022 08:08:00 +0000</pubDate>
				<category><![CDATA[Hướng dẫn cấu hình Firewall Sophos XG]]></category>
		<category><![CDATA[Hướng dẫn cấu hình IPsec VPN Site to site failover giữa Sophos XGS và Sophos UTM (SG) Firewall]]></category>
		<guid isPermaLink="false">https://www.thegioifirewall.com/?p=14034</guid>

					<description><![CDATA[1.Mục đích bài viết Bài viết này mô tả các bước để định cấu hình nhiều kết nối VPN IPsec để dự phòng. Nếu liên kết VPN chính không hoạt động, liên kết VPN Internet dự phòng sẽ thay thế. 2.Sơ đồ mạng Chi tiết sơ đồ mạng: Thiết bị tường lửa Sophos XGS Firewall [&#8230;]]]></description>
										<content:encoded><![CDATA[
<h2 class="wp-block-heading"><strong>1.Mục đích bài viết</strong></h2>



<p class="wp-block-paragraph">Bài viết này mô tả các bước để định cấu hình nhiều kết nối VPN IPsec để dự phòng. Nếu liên kết VPN chính không hoạt động, liên kết VPN Internet dự phòng sẽ thay thế.</p>



<h2 class="wp-block-heading"><strong>2.Sơ đồ mạng</strong></h2>



<figure class="wp-block-image size-large"><img fetchpriority="high" decoding="async" width="1024" height="544" src="https://thegioifirewall.com/wp-content/uploads/Drawing1-22-1024x544.png" alt="" class="wp-image-14035" srcset="https://thegioifirewall.com/wp-content/uploads/Drawing1-22-1024x544.png 1024w, https://thegioifirewall.com/wp-content/uploads/Drawing1-22-300x160.png 300w, https://thegioifirewall.com/wp-content/uploads/Drawing1-22-768x408.png 768w, https://thegioifirewall.com/wp-content/uploads/Drawing1-22-1536x817.png 1536w, https://thegioifirewall.com/wp-content/uploads/Drawing1-22.png 1563w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph"><strong>Chi tiết sơ đồ mạng:</strong></p>



<p class="wp-block-paragraph"><strong>Thiết bị tường lửa Sophos XGS Firewall</strong></p>



<ul class="wp-block-list"><li>Trên thiết bị có 2 đường internet là ISP 1 có IP 172.16.16.99 được cấu hình tại Port 2 và ISP 2 có IP 172.16.16.185 được cấu hình tại Port 3.</li><li>Lớp mạng LAN được cấu hình tại Port 1 với IP 10.145.41.1/24 và đã cấu hình DHCP để cấp phát cho các thiết bị kết nối vào.</li></ul>



<p class="wp-block-paragraph"><strong>Thiết bị tường lửa Sophos UTM (SG) Firewall</strong></p>



<ul class="wp-block-list"><li>Trên thiết bị có 1 đường internet có IP 172.16.16.186 được cấu hình tại cổng eth1.</li><li>Lớp mạng LAN được cấu hình tại cổng eth0 với IP 192.168.2.100/24 và đã cấu hình DHCP để cấp phát cho các thiết bị kết nối vào.</li></ul>



<h2 class="wp-block-heading"><strong>3.Tình huống cấu hình</strong></h2>



<p class="wp-block-paragraph">Chúng ta sẽ thực hiện cấu hình 2 kết nối IPSec Site to site VPN từ thiết bị Sophos XGS Firewall đến Sophos UTM (SG) Firewall bằng 2 đường ISP 1 và ISP2.</p>



<p class="wp-block-paragraph">Sau đó sẽ thực hiện cấu hình IPSec failover để khi kết nối IPSec VPN bằng ISP 1 gặp sự cố thì kết nối IPSec VPN bằng ISP 2 sẽ thay thế.</p>



<h2 class="wp-block-heading"><strong>4.Các bước cấu hình</strong></h2>



<p class="wp-block-paragraph"><strong>Cấu hình trên Sophos UTM (SG) Firewall:</strong></p>



<ul class="wp-block-list"><li>Tạo profile.</li><li>Tạo IPsec Policies.</li><li>Cấu hình Remote Gateway với ISP 1</li><li>Cấu hình Remote Gateway với ISP 2</li><li>Cấu hình IPSec connection đến ISP 1.</li><li>Cấu hình IPSec connection đến ISP 2.</li><li>Thêm 2 firewall rule cho phép lưu lượng VPN.</li></ul>



<p class="wp-block-paragraph"><strong>Cấu hình trên Sophos XGS Firewall:</strong></p>



<ul class="wp-block-list"><li>Tạo profile cho lớp mạng local và remote LAN.</li><li>Tạo IPsec Policies.</li><li>Tạo kết nối IPSec VPN bằng ISP 1.</li><li>Tạo kết nối IPSec VPN bằng ISP 2.</li><li>Cấu hình Failover cho các kết nối IPSec VPN.</li><li>Thêm 2 firewall rule cho phép lưu lượng VPN.</li><li>Mở 2 dịch vụ HTTPS và PING cho VPN zone.</li></ul>



<p class="wp-block-paragraph"><strong>Kiểm tra kết quả.</strong></p>



<h2 class="wp-block-heading"><strong>5.Hướng dẫn cấu hình.</strong></h2>



<h3 class="wp-block-heading"><strong>5.1.Branch office</strong></h3>



<h4 class="wp-block-heading"><strong>5.1.1.Tạo profile</strong></h4>



<p class="wp-block-paragraph">Chúng ta cần tạo 4 profile cho 2 lớp mạng LAN ở hai site head và branch office và IP WAN ISP 1 và ISP 2 của Sophos XGS Firewall.</p>



<p class="wp-block-paragraph">Để tạo vào <strong>Definitions &amp; Users &gt; Network Definitions &gt; +New Network Definition</strong></p>



<p class="wp-block-paragraph">Tạo profile cho lớp mạng 10.145.41.0/24 theo các thông tin như sau:</p>



<ul class="wp-block-list"><li>Name: Remote</li><li>Type: Network</li><li>IPv4 address: 10.145.41.0</li><li>Netmask: /24(255.255.255.0)</li><li>Comment: Sophos XGS Firewall Subnet</li><li>Nhấn Save để lưu</li></ul>



<figure class="wp-block-image size-full"><img decoding="async" width="580" height="480" src="https://thegioifirewall.com/wp-content/uploads/13-40.png" alt="" class="wp-image-13995" srcset="https://thegioifirewall.com/wp-content/uploads/13-40.png 580w, https://thegioifirewall.com/wp-content/uploads/13-40-300x248.png 300w" sizes="(max-width: 580px) 100vw, 580px" /></figure>



<p class="wp-block-paragraph">Tương tự chúng ta tạo profile cho lớp mạng 192.168.2.0/24 với các thông tin sau:</p>



<ul class="wp-block-list"><li>Name: Local</li><li>Type: Network</li><li>IPv4 address: 192.168.2.0</li><li>Netmask: /24(255.255.255.0)</li><li>Comment: Sophos UTM Firewall Subnet</li><li>Nhấn Save để lưu</li></ul>



<figure class="wp-block-image size-full"><img decoding="async" width="579" height="475" src="https://thegioifirewall.com/wp-content/uploads/14-38.png" alt="" class="wp-image-13996" srcset="https://thegioifirewall.com/wp-content/uploads/14-38.png 579w, https://thegioifirewall.com/wp-content/uploads/14-38-300x246.png 300w" sizes="(max-width: 579px) 100vw, 579px" /></figure>



<p class="wp-block-paragraph">Tương tự chúng ta tạo profile cho ISP 1 WAN của Sophos XGS với các thông tin sau:</p>



<ul class="wp-block-list"><li>Name: Sophos XGS ISP 1</li><li>Type: Host</li><li>IPv4 address: 172.16.16.99</li><li>Nhấn Save để lưu</li></ul>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="575" height="596" src="https://thegioifirewall.com/wp-content/uploads/8-55.png" alt="" class="wp-image-14036" srcset="https://thegioifirewall.com/wp-content/uploads/8-55.png 575w, https://thegioifirewall.com/wp-content/uploads/8-55-289x300.png 289w" sizes="auto, (max-width: 575px) 100vw, 575px" /></figure>



<p class="wp-block-paragraph">Tương tự chúng ta tạo profile cho ISP 2 WAN của Sophos XGS với các thông tin sau:</p>



<ul class="wp-block-list"><li>Name: Sophos XGS ISP 2</li><li>Type: Host</li><li>IPv4 address: 172.16.16.185</li><li>Nhấn Save để lưu</li></ul>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="579" height="595" src="https://thegioifirewall.com/wp-content/uploads/9-55.png" alt="" class="wp-image-14037" srcset="https://thegioifirewall.com/wp-content/uploads/9-55.png 579w, https://thegioifirewall.com/wp-content/uploads/9-55-292x300.png 292w" sizes="auto, (max-width: 579px) 100vw, 579px" /></figure>



<h4 class="wp-block-heading"><strong>5.1.2.Tạo IPSec Policy</strong></h4>



<p class="wp-block-paragraph">Để tạo IPSec connection vào <strong>Site-to-Site VPN &gt; IPsec &gt; Policies &gt; +New IPsec Policy… </strong>.</p>



<p class="wp-block-paragraph">Chúng ta cần cấu hình các thông số như sau:</p>



<ul class="wp-block-list"><li>Name: <strong>XGS_to_UTM</strong></li><li>IKE encryption: <strong>AES 256</strong></li><li>IKE Authentication: <strong>SHA2 256</strong></li><li>IKE SA lifetime: <strong>28800</strong></li><li>IKE DH group: <strong>Group14</strong></li><li>IPSEC Encryption: <strong>AES 128</strong></li><li>IPSEC auth: <strong>SHA2 256</strong></li><li>IPSEC SA lifetime: <strong>3600</strong></li><li>IPSEC PFS: <strong>Group14</strong></li></ul>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="742" height="751" src="https://thegioifirewall.com/wp-content/uploads/30-15.png" alt="" class="wp-image-13998" srcset="https://thegioifirewall.com/wp-content/uploads/30-15.png 742w, https://thegioifirewall.com/wp-content/uploads/30-15-296x300.png 296w" sizes="auto, (max-width: 742px) 100vw, 742px" /></figure>



<h4 class="wp-block-heading"><strong>5.1.3.Cấu hình Remote Gateway với ISP 1</strong></h4>



<p class="wp-block-paragraph"><strong>Vào Site-to-Site VPN &gt; IPsec &gt; Remote Gateways &gt; +New Remote Gateway và cấu hình Remote Gateway với các thông số sau:</strong><strong></strong></p>



<ul class="wp-block-list"><li>Name: <strong>UTM_to_XGS_ISP1</strong></li><li>Type: <strong>Initiate Connection</strong></li><li>Gateway: Chọn profile <strong>Sophos XGS ISP 1</strong></li><li>Authentication: nhập pre-shared key</li><li>Key and repeat: nhập lại pre-shared key</li><li>VPN ID Type: <strong>IP address</strong></li><li>VPN ID (Optional): &lt;Blank&gt;</li><li>Remote Networks: chọn profile Remote</li><li>Nhấn Save để lưu.</li></ul>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="613" height="922" src="https://thegioifirewall.com/wp-content/uploads/12-46.png" alt="" class="wp-image-14038" srcset="https://thegioifirewall.com/wp-content/uploads/12-46.png 613w, https://thegioifirewall.com/wp-content/uploads/12-46-199x300.png 199w" sizes="auto, (max-width: 613px) 100vw, 613px" /></figure>



<p class="wp-block-paragraph"><strong>5.1.4.Cấu hình Remote Gateway với ISP 2</strong></p>



<p class="wp-block-paragraph"><strong>Vào Site-to-Site VPN &gt; IPsec &gt; Remote Gateways &gt; +New Remote Gateway và cấu hình Remote Gateway với các thông số sau:</strong><strong></strong></p>



<ul class="wp-block-list"><li>Name: <strong>UTM_to_XGS_ISP2</strong></li><li>Type: <strong>Initiate Connection</strong></li><li>Gateway: Chọn profile <strong>Sophos XGS ISP 2</strong></li><li>Authentication: nhập pre-shared key giống như đã nhập bên trên</li><li>Key and repeat: nhập lại pre-shared key</li><li>VPN ID Type: <strong>IP address</strong></li><li>VPN ID (Optional): &lt;Blank&gt;</li><li>Remote Networks: chọn profile Remote</li><li>Nhấn Save để lưu.</li></ul>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="611" height="918" src="https://thegioifirewall.com/wp-content/uploads/10-50.png" alt="" class="wp-image-14039" srcset="https://thegioifirewall.com/wp-content/uploads/10-50.png 611w, https://thegioifirewall.com/wp-content/uploads/10-50-200x300.png 200w" sizes="auto, (max-width: 611px) 100vw, 611px" /></figure>



<h4 class="wp-block-heading"><strong>5.1.5. Cấu hình IPsec connection đến ISP 1</strong></h4>



<p class="wp-block-paragraph">Vào <strong>Site-to-Site VPN &gt; IPsec &gt; + New IPsec Connection và tạo IPsec connection với các thông số sau:</strong><strong></strong></p>



<ul class="wp-block-list"><li>Name: <strong>UTM_to_XGS_ISP1</strong></li><li>Remote Gateway: chọn remote gateway UTM_to_XGS_ISP1 vừa tạo.</li><li>Local Interface: chọn External (WAN)</li><li>Policy: chọn IPsec policy XGS_to_UTM.</li><li>Local Networks: chọn profile Local.</li><li>Nhấn Save.</li></ul>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="571" height="913" src="https://thegioifirewall.com/wp-content/uploads/13-41.png" alt="" class="wp-image-14040" srcset="https://thegioifirewall.com/wp-content/uploads/13-41.png 571w, https://thegioifirewall.com/wp-content/uploads/13-41-188x300.png 188w" sizes="auto, (max-width: 571px) 100vw, 571px" /></figure>



<h4 class="wp-block-heading"><strong>5.1.6. Cấu hình IPsec connection đến ISP 2</strong></h4>



<p class="wp-block-paragraph">Vào <strong>Site-to-Site VPN &gt; IPsec &gt; + New IPsec Connection và tạo IPsec connection với các thông số sau:</strong><strong></strong></p>



<ul class="wp-block-list"><li>Name: <strong>UTM_to_XGS_ISP2</strong></li><li>Remote Gateway: chọn remote gateway UTM_to_XGS_ISP2 vừa tạo.</li><li>Local Interface: chọn External (WAN)</li><li>Policy: chọn IPsec policy XGS_to_UTM.</li><li>Local Networks: chọn profile Local.</li><li>Nhấn Save.</li></ul>



<figure class="wp-block-image size-full"><img loading="lazy" decoding="async" width="578" height="913" src="https://thegioifirewall.com/wp-content/uploads/14-39.png" alt="" class="wp-image-14041" srcset="https://thegioifirewall.com/wp-content/uploads/14-39.png 578w, https://thegioifirewall.com/wp-content/uploads/14-39-190x300.png 190w" sizes="auto, (max-width: 578px) 100vw, 578px" /></figure>



<p class="wp-block-paragraph">Như các bạn thấy kết nối IPsec connection đã được tạo và có trạng thái ON.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="246" src="https://thegioifirewall.com/wp-content/uploads/15-35-1024x246.png" alt="" class="wp-image-14042" srcset="https://thegioifirewall.com/wp-content/uploads/15-35-1024x246.png 1024w, https://thegioifirewall.com/wp-content/uploads/15-35-300x72.png 300w, https://thegioifirewall.com/wp-content/uploads/15-35-768x185.png 768w, https://thegioifirewall.com/wp-content/uploads/15-35.png 1535w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<h4 class="wp-block-heading"><strong>5.1.7.Tạo policy</strong></h4>



<p class="wp-block-paragraph">Cuối cùng chúng ta cần tạo policy cho phép traffic qua lại giữa hai site.</p>



<p class="wp-block-paragraph">Để cho phép lưu lượng đến từ Sophos XGS Firewall, vào <strong>Network Protection &gt; Firewall &gt; + New Rule</strong> và thêm quy tắc mới với các cài đặt sau:</p>



<ul class="wp-block-list"><li>Group: No group</li><li>Position: Top</li><li>Source: chọn profile Remote</li><li>Services: chọn Any.</li><li>Destination: chọn profile Local</li><li>Action: Allow</li><li>Nhấn Save</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="623" height="1024" src="https://thegioifirewall.com/wp-content/uploads/20-25-623x1024.png" alt="" class="wp-image-14002" srcset="https://thegioifirewall.com/wp-content/uploads/20-25-623x1024.png 623w, https://thegioifirewall.com/wp-content/uploads/20-25-183x300.png 183w, https://thegioifirewall.com/wp-content/uploads/20-25.png 655w" sizes="auto, (max-width: 623px) 100vw, 623px" /></figure>



<p class="wp-block-paragraph">Để cho phép lưu lượng đến Sophos XGS Firewall, vào <strong>Network Protection &gt; Firewall &gt; + New Rule</strong> và thêm quy tắc mới với các cài đặt sau:</p>



<ul class="wp-block-list"><li>Group: No group</li><li>Position: Top</li><li>Source: chọn profile Local</li><li>Services: chọn Any.</li><li>Destination: chọn profile Remote</li><li>Action: Allow</li><li>Nhấn Save</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="617" height="1024" src="https://thegioifirewall.com/wp-content/uploads/21-23-617x1024.png" alt="" class="wp-image-14003" srcset="https://thegioifirewall.com/wp-content/uploads/21-23-617x1024.png 617w, https://thegioifirewall.com/wp-content/uploads/21-23-181x300.png 181w, https://thegioifirewall.com/wp-content/uploads/21-23.png 653w" sizes="auto, (max-width: 617px) 100vw, 617px" /></figure>



<h3 class="wp-block-heading"><strong>5.2.Cấu hình trên Sophos XGS Firewall</strong></h3>



<h4 class="wp-block-heading"><strong>5.2.1.Tạo profile cho lớp mạng local và remote LAN</strong></h4>



<p class="wp-block-paragraph">Nhấn&nbsp;<strong>Hosts and Services &gt; IP Host</strong>&nbsp;và nhấn&nbsp;<strong>Add</strong>&nbsp;để tạo local LAN với các thông số sau:</p>



<ul class="wp-block-list"><li>Name*: Local.</li><li>IP version*: IPv4.</li><li>Type*: Network</li><li>IP address*: 10.145.41.0 – Subnet /24[255.255.255.0].</li><li>Nhấn Save.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="261" src="https://thegioifirewall.com/wp-content/uploads/1-79-1024x261.png" alt="" class="wp-image-13983" srcset="https://thegioifirewall.com/wp-content/uploads/1-79-1024x261.png 1024w, https://thegioifirewall.com/wp-content/uploads/1-79-300x76.png 300w, https://thegioifirewall.com/wp-content/uploads/1-79-768x195.png 768w, https://thegioifirewall.com/wp-content/uploads/1-79-1536x391.png 1536w, https://thegioifirewall.com/wp-content/uploads/1-79-2048x521.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn&nbsp;<strong>Hosts and Services &gt; IP Host</strong>&nbsp;và nhấn&nbsp;<strong>Add</strong>&nbsp;để tạo remote LAN với các thông số sau:</p>



<ul class="wp-block-list"><li>Name*: Remote.</li><li>IP version*: IPv4.</li><li>Type*: Network</li><li>IP address*: 192.168.2.0 – Subnet /24[255.255.255.0].</li><li>Nhấn Save.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="262" src="https://thegioifirewall.com/wp-content/uploads/2-78-1024x262.png" alt="" class="wp-image-13984" srcset="https://thegioifirewall.com/wp-content/uploads/2-78-1024x262.png 1024w, https://thegioifirewall.com/wp-content/uploads/2-78-300x77.png 300w, https://thegioifirewall.com/wp-content/uploads/2-78-768x197.png 768w, https://thegioifirewall.com/wp-content/uploads/2-78-1536x393.png 1536w, https://thegioifirewall.com/wp-content/uploads/2-78-2048x524.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<h4 class="wp-block-heading"><strong>5.2.2.Tạo IPsec Policies</strong></h4>



<p class="wp-block-paragraph">Để tạo vào VPN &gt; IPSec Policies &gt; nhấn Add.</p>



<p class="wp-block-paragraph">Tạo với các thông số sau:</p>



<p class="wp-block-paragraph">General settings:</p>



<ul class="wp-block-list"><li>Name: UTM_to_XGS</li><li>Key Exchange: IKEv1.</li><li>Authentication mode: Main mode.</li><li>Re-key connection: tích chọn.</li><li>Key negotiation tries: 3</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="320" src="https://thegioifirewall.com/wp-content/uploads/26-19-1024x320.png" alt="" class="wp-image-13985" srcset="https://thegioifirewall.com/wp-content/uploads/26-19-1024x320.png 1024w, https://thegioifirewall.com/wp-content/uploads/26-19-300x94.png 300w, https://thegioifirewall.com/wp-content/uploads/26-19-768x240.png 768w, https://thegioifirewall.com/wp-content/uploads/26-19-1536x479.png 1536w, https://thegioifirewall.com/wp-content/uploads/26-19-2048x639.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Phase 1:</p>



<ul class="wp-block-list"><li>Key life: 28800.</li><li>Re-key margin: 120.</li><li>DH group: 14 [DH2048].</li><li>Encryption: AES256.</li><li>Authentication: SHA2 256.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="330" src="https://thegioifirewall.com/wp-content/uploads/27-20-1024x330.png" alt="" class="wp-image-13986" srcset="https://thegioifirewall.com/wp-content/uploads/27-20-1024x330.png 1024w, https://thegioifirewall.com/wp-content/uploads/27-20-300x97.png 300w, https://thegioifirewall.com/wp-content/uploads/27-20-768x247.png 768w, https://thegioifirewall.com/wp-content/uploads/27-20-1536x495.png 1536w, https://thegioifirewall.com/wp-content/uploads/27-20-2048x660.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Phase 2:</p>



<ul class="wp-block-list"><li>PFS group [DH group]: Same as phase-I.</li><li>Key life: 3600.</li><li>Encryption: AES256.</li><li>Authentication: SHA2 256.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="258" src="https://thegioifirewall.com/wp-content/uploads/28-20-1024x258.png" alt="" class="wp-image-13987" srcset="https://thegioifirewall.com/wp-content/uploads/28-20-1024x258.png 1024w, https://thegioifirewall.com/wp-content/uploads/28-20-300x76.png 300w, https://thegioifirewall.com/wp-content/uploads/28-20-768x194.png 768w, https://thegioifirewall.com/wp-content/uploads/28-20-1536x387.png 1536w, https://thegioifirewall.com/wp-content/uploads/28-20-2048x516.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Dead Peer Detection</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="189" src="https://thegioifirewall.com/wp-content/uploads/7-58-1024x189.png" alt="" class="wp-image-14043" srcset="https://thegioifirewall.com/wp-content/uploads/7-58-1024x189.png 1024w, https://thegioifirewall.com/wp-content/uploads/7-58-300x55.png 300w, https://thegioifirewall.com/wp-content/uploads/7-58-768x142.png 768w, https://thegioifirewall.com/wp-content/uploads/7-58-1536x283.png 1536w, https://thegioifirewall.com/wp-content/uploads/7-58-2048x378.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Save.</p>



<h4 class="wp-block-heading"><strong>5.2.3.Tạo kết nối IPsec VPN bằng ISP 1</strong></h4>



<p class="wp-block-paragraph">Nhấn&nbsp;<strong>VPN &gt; IPsec Connection</strong>&nbsp;và nhấn&nbsp;<strong>Add</strong>. Tạo kết nối IPsec VPN bằng các thông số như hình dưới đây và sử dụng cổng&nbsp;<strong>IPS1</strong>&nbsp;là&nbsp;<strong>Listening Interface</strong>.</p>



<p class="wp-block-paragraph">Cấu hình General settings với các thông số sau:</p>



<ul class="wp-block-list"><li>Name: XGS_to_UTM_ISP1.</li><li>IP version: chọn IPv4.</li><li>Connection type: chọn Site-to-site.</li><li>Gateway type: Respond only.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="269" src="https://thegioifirewall.com/wp-content/uploads/1-82-1024x269.png" alt="" class="wp-image-14044" srcset="https://thegioifirewall.com/wp-content/uploads/1-82-1024x269.png 1024w, https://thegioifirewall.com/wp-content/uploads/1-82-300x79.png 300w, https://thegioifirewall.com/wp-content/uploads/1-82-768x202.png 768w, https://thegioifirewall.com/wp-content/uploads/1-82-1536x404.png 1536w, https://thegioifirewall.com/wp-content/uploads/1-82-2048x539.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Cấu hình Encryption với các thông số sau:</p>



<ul class="wp-block-list"><li>Policy: chọn UTM_to_XGS</li><li>Authentication type: chọn Preshared key</li><li>Nhập mật khẩu vào 2 ô Preshared key và Repeat preshared key giống như đã nhập tại Remote Gateway với ISP 1 trên Sophos UTM.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="265" src="https://thegioifirewall.com/wp-content/uploads/2-81-1024x265.png" alt="" class="wp-image-14045" srcset="https://thegioifirewall.com/wp-content/uploads/2-81-1024x265.png 1024w, https://thegioifirewall.com/wp-content/uploads/2-81-300x78.png 300w, https://thegioifirewall.com/wp-content/uploads/2-81-768x199.png 768w, https://thegioifirewall.com/wp-content/uploads/2-81-1536x398.png 1536w, https://thegioifirewall.com/wp-content/uploads/2-81-2048x530.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Cấu hình Gateway settings với các thông số sau:</p>



<ul class="wp-block-list"><li>Listening interface: chọn <strong>Port2 – 172.16.16.99</strong>.</li><li>Gateway address: nhập IP WAN của Sophos UTM là 172.16.16.186.</li><li>Local subnet: chọn profile Local.</li><li>Remote subnet: chọn profile Remote.</li><li>Nhấn Save để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="481" src="https://thegioifirewall.com/wp-content/uploads/3-81-1024x481.png" alt="" class="wp-image-14046" srcset="https://thegioifirewall.com/wp-content/uploads/3-81-1024x481.png 1024w, https://thegioifirewall.com/wp-content/uploads/3-81-300x141.png 300w, https://thegioifirewall.com/wp-content/uploads/3-81-768x361.png 768w, https://thegioifirewall.com/wp-content/uploads/3-81-1536x721.png 1536w, https://thegioifirewall.com/wp-content/uploads/3-81-2048x962.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<h4 class="wp-block-heading"><strong>5.2.4.Tạo kết nối IPSec VPN bằng ISP 2.</strong></h4>



<p class="wp-block-paragraph">Tạo 1 kết nối IPsec khác sử dụng các thông tin như hình dưới đây và sử dụng cổng&nbsp;<strong>ISP2</strong>&nbsp;là&nbsp;<strong>Listening Interface</strong>.</p>



<p class="wp-block-paragraph">Cấu hình General settings với các thông số sau:</p>



<ul class="wp-block-list"><li>Name: XGS_to_UTM_ISP2.</li><li>IP version: chọn IPv4.</li><li>Connection type: chọn Site-to-site.</li><li>Gateway type: chọn Respond only.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="272" src="https://thegioifirewall.com/wp-content/uploads/4-81-1024x272.png" alt="" class="wp-image-14047" srcset="https://thegioifirewall.com/wp-content/uploads/4-81-1024x272.png 1024w, https://thegioifirewall.com/wp-content/uploads/4-81-300x80.png 300w, https://thegioifirewall.com/wp-content/uploads/4-81-768x204.png 768w, https://thegioifirewall.com/wp-content/uploads/4-81-1536x408.png 1536w, https://thegioifirewall.com/wp-content/uploads/4-81-2048x544.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Cấu hình Encryption với các thông số sau:</p>



<ul class="wp-block-list"><li>Policy: chọn IKEv2.</li><li>Authentication type: chọn Preshared key.</li><li>Nhập mật khẩu vào 2 ô Preshared key và Repeat preshared key giống như đã nhập ở Remote Gateway với ISP 2 trên Sophos UTM.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="269" src="https://thegioifirewall.com/wp-content/uploads/5-75-1024x269.png" alt="" class="wp-image-14048" srcset="https://thegioifirewall.com/wp-content/uploads/5-75-1024x269.png 1024w, https://thegioifirewall.com/wp-content/uploads/5-75-300x79.png 300w, https://thegioifirewall.com/wp-content/uploads/5-75-768x202.png 768w, https://thegioifirewall.com/wp-content/uploads/5-75-1536x404.png 1536w, https://thegioifirewall.com/wp-content/uploads/5-75-2048x539.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Cấu hình Gateway settings với các thông số sau:</p>



<ul class="wp-block-list"><li>Listening interface: chọn <strong>Port3 – 172.16.16.185</strong>.</li><li>Gateway address: nhập IP WAN của Sophos UTM là 172.16.16.186.</li><li>Local subnet: chọn profile Local.</li><li>Remote subnet: chọn profile Remote.</li><li>Nhấn Save.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="475" src="https://thegioifirewall.com/wp-content/uploads/6-68-1024x475.png" alt="" class="wp-image-14049" srcset="https://thegioifirewall.com/wp-content/uploads/6-68-1024x475.png 1024w, https://thegioifirewall.com/wp-content/uploads/6-68-300x139.png 300w, https://thegioifirewall.com/wp-content/uploads/6-68-768x356.png 768w, https://thegioifirewall.com/wp-content/uploads/6-68-1536x713.png 1536w, https://thegioifirewall.com/wp-content/uploads/6-68-2048x950.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Hai kết nối IPsec VPN vừa tạo sẽ hiển thị như sau.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="276" src="https://thegioifirewall.com/wp-content/uploads/11-51-1024x276.png" alt="" class="wp-image-14050" srcset="https://thegioifirewall.com/wp-content/uploads/11-51-1024x276.png 1024w, https://thegioifirewall.com/wp-content/uploads/11-51-300x81.png 300w, https://thegioifirewall.com/wp-content/uploads/11-51-768x207.png 768w, https://thegioifirewall.com/wp-content/uploads/11-51-1536x414.png 1536w, https://thegioifirewall.com/wp-content/uploads/11-51-2048x552.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<h4 class="wp-block-heading"><strong>5.2.5.Cấu hình Failover cho các kết nối IPSec VPN.</strong></h4>



<p class="wp-block-paragraph">Phía dưới phần&nbsp;<strong>Failover Group</strong>&nbsp;nhấn&nbsp;<strong>Add</strong>.</p>



<p class="wp-block-paragraph">Cấu hình&nbsp;<strong>Failover</strong>&nbsp;theo các thông số như hình sau và nhấn&nbsp;<strong>Save</strong>.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="677" src="https://thegioifirewall.com/wp-content/uploads/16-35-1024x677.png" alt="" class="wp-image-14052" srcset="https://thegioifirewall.com/wp-content/uploads/16-35-1024x677.png 1024w, https://thegioifirewall.com/wp-content/uploads/16-35-300x198.png 300w, https://thegioifirewall.com/wp-content/uploads/16-35-768x508.png 768w, https://thegioifirewall.com/wp-content/uploads/16-35-1536x1016.png 1536w, https://thegioifirewall.com/wp-content/uploads/16-35.png 1600w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Màn hình sau đây sẽ được hiển thị cho phần&nbsp;<strong>Failover Group</strong>.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="207" src="https://thegioifirewall.com/wp-content/uploads/17-33-1024x207.png" alt="" class="wp-image-14053" srcset="https://thegioifirewall.com/wp-content/uploads/17-33-1024x207.png 1024w, https://thegioifirewall.com/wp-content/uploads/17-33-300x61.png 300w, https://thegioifirewall.com/wp-content/uploads/17-33-768x155.png 768w, https://thegioifirewall.com/wp-content/uploads/17-33-1536x311.png 1536w, https://thegioifirewall.com/wp-content/uploads/17-33-2048x414.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấp vào biểu tượng vòng tròn màu đỏ bên dưới Status của Failover Group đã được tạo để kích hoạt.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="494" src="https://thegioifirewall.com/wp-content/uploads/18-31-1024x494.png" alt="" class="wp-image-14051" srcset="https://thegioifirewall.com/wp-content/uploads/18-31-1024x494.png 1024w, https://thegioifirewall.com/wp-content/uploads/18-31-300x145.png 300w, https://thegioifirewall.com/wp-content/uploads/18-31-768x370.png 768w, https://thegioifirewall.com/wp-content/uploads/18-31-1536x741.png 1536w, https://thegioifirewall.com/wp-content/uploads/18-31-2048x988.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Các kết nối VPN tại Sophos UTM cũng đã được thiết lập thành công.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="357" src="https://thegioifirewall.com/wp-content/uploads/19-29-1024x357.png" alt="" class="wp-image-14054" srcset="https://thegioifirewall.com/wp-content/uploads/19-29-1024x357.png 1024w, https://thegioifirewall.com/wp-content/uploads/19-29-300x105.png 300w, https://thegioifirewall.com/wp-content/uploads/19-29-768x268.png 768w, https://thegioifirewall.com/wp-content/uploads/19-29.png 1519w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<h4 class="wp-block-heading"><strong>5.2.6.Thêm 2 firewall rule cho phép lưu lượng VPN</strong></h4>



<p class="wp-block-paragraph">Nhấn&nbsp;<strong>Rules and policies &gt; Add Firewall Rule &gt; New firewall rule</strong>. Tạo <strong>firewall rule</strong>&nbsp;như hình sau.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="784" src="https://thegioifirewall.com/wp-content/uploads/12-45-1024x784.png" alt="" class="wp-image-13994" srcset="https://thegioifirewall.com/wp-content/uploads/12-45-1024x784.png 1024w, https://thegioifirewall.com/wp-content/uploads/12-45-300x230.png 300w, https://thegioifirewall.com/wp-content/uploads/12-45-768x588.png 768w, https://thegioifirewall.com/wp-content/uploads/12-45-1536x1176.png 1536w, https://thegioifirewall.com/wp-content/uploads/12-45-2048x1568.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<h4 class="wp-block-heading"><strong>5.2.7. Mở 2 dịch vụ HTTPS và PING cho VPN zone.</strong></h4>



<p class="wp-block-paragraph">Để có thể thực hiện ping giữa các host của 2 thiết bị Sophos XGS Firewall và Sophos UTM (SG) thông qua IPSec VPN, chúng ta cần mở 2 dịch vụ HTTPS và PING trên VPN zone.</p>



<p class="wp-block-paragraph">Để mở vào Administration &gt; Device Access.</p>



<p class="wp-block-paragraph">Tích chọn dịch vụ HTTPS và PING cho VPN zone và nhấn Apply để lưu.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="414" src="https://thegioifirewall.com/wp-content/uploads/22-20-1024x414.png" alt="" class="wp-image-14055" srcset="https://thegioifirewall.com/wp-content/uploads/22-20-1024x414.png 1024w, https://thegioifirewall.com/wp-content/uploads/22-20-300x121.png 300w, https://thegioifirewall.com/wp-content/uploads/22-20-768x310.png 768w, https://thegioifirewall.com/wp-content/uploads/22-20-1536x620.png 1536w, https://thegioifirewall.com/wp-content/uploads/22-20-2048x827.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<h3 class="wp-block-heading"><strong>5.3.Kiểm tra kết quả.</strong></h3>



<p class="wp-block-paragraph">Sử dụng một máy thuộc lớp LAN của Sophos XGS Firewall có IP 10.145.41.11 và ping đến 1 máy thuộc lớp LAN của Sophos UTM &nbsp;có IP 192.168.2.101/24 và kết quả là ping thành công.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="555" src="https://thegioifirewall.com/wp-content/uploads/25-21-1024x555.png" alt="" class="wp-image-14006" srcset="https://thegioifirewall.com/wp-content/uploads/25-21-1024x555.png 1024w, https://thegioifirewall.com/wp-content/uploads/25-21-300x163.png 300w, https://thegioifirewall.com/wp-content/uploads/25-21-768x416.png 768w, https://thegioifirewall.com/wp-content/uploads/25-21-1536x833.png 1536w, https://thegioifirewall.com/wp-content/uploads/25-21-2048x1110.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Thực hiện ping ngược lại từ máy có IP 192.168.2.101 đến máy có IP 10.145.41.11 và kết quả là ping thành công.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="566" src="https://thegioifirewall.com/wp-content/uploads/24-22-1024x566.png" alt="" class="wp-image-14007" srcset="https://thegioifirewall.com/wp-content/uploads/24-22-1024x566.png 1024w, https://thegioifirewall.com/wp-content/uploads/24-22-300x166.png 300w, https://thegioifirewall.com/wp-content/uploads/24-22-768x425.png 768w, https://thegioifirewall.com/wp-content/uploads/24-22-1536x849.png 1536w, https://thegioifirewall.com/wp-content/uploads/24-22.png 1834w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Chuyển đến&nbsp;<strong>Report &gt; VPN</strong>&nbsp;và xác minh việc lưu lượng IPsec.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="295" src="https://thegioifirewall.com/wp-content/uploads/21-24-1024x295.png" alt="" class="wp-image-14056" srcset="https://thegioifirewall.com/wp-content/uploads/21-24-1024x295.png 1024w, https://thegioifirewall.com/wp-content/uploads/21-24-300x86.png 300w, https://thegioifirewall.com/wp-content/uploads/21-24-768x221.png 768w, https://thegioifirewall.com/wp-content/uploads/21-24-1536x442.png 1536w, https://thegioifirewall.com/wp-content/uploads/21-24-2048x590.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Bất cứ khi nào liên kết VPN Internet ISP 1 không hoạt động, kết nối IPsec sẽ chuyển sang liên kết VPN Internet ISP 2.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://thegioifirewall.com/huong-dan-cau-hinh-ipsec-vpn-site-to-site-failover-giua-sophos-xgs-va-sophos-utm-sg-firewall/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
