Sophos Utm Ipv6



Hey there,

more and more IPv6 addresses are assigned, and since we are using IPSec-tunnels to encrypt the traffic between our branch-offices, I was wondering ‘how far has the support for IPSec via IPv6 come’?

Hi all, Having trouble getting my Sophos UTM Home (9.700-5) to support IPv6 over my BT-supplied FTTP service. Everything works fine with the SmartHub 2, but the UTM will not get an IPv6 address from the BRAS. The UTM will show me a prefix, but it will not assign an address to its WAN interface, so i have no route back to the BRAS. IPv6 Feature Support for SFOS v16 December 2016 DocVersion-AHM Sophos is very committed to providing IPv6 support across all areas of XG Firewall. UTM 9.3x My googlefu is failing as most hits are related to no Internet access at all, or threads that deal with this specific issue but no follow through. Yes, I know that no internet connectivity 'feature' can be disabled in the registry.

So, I checked it out, using our Astaro (now Sophos) Firewall at work and my M0n0wall at home.

First of all, you of course need IPv6 activated on both ends and need an active connection. Wether you get that native from your provider or, for example, through https://www.sixxs.net is up to you. If you see fe80:… addresses: These are the link local addresses and do not work for us here.

Sophos Utm Ipv6Sophos utm ipv6 settings

Setup on the Astaro (Sophos UTM):

  • Go to ‘Site-to-Site VPN’ -> ‘IPSec’, create a ‘Remote Gateway’. We use a Preshared Key for our test setup now, in a real setup you might want to use RSA or a certificate. For the gateway you use the IPv6 WAN address of the m0n0wall. Oh, and don’t forget to add the remote networks. (This can be the whole /48 for example, no need to use several /64).
  • Then go to ‘Connections’ and create a new connection, using our just created gateway. I use TrippleDES for a policy here.
  • If you hit ‘automatic firewall rules’ your remote network gets full access to your local network. If this is unwanted, don’t do it! You can create the rules you like under ‘Network Security’ -> ‘Firewall’

All done here!

Setup on the M0n0wall:

  • Go to ‘VPN’ -> ‘IPSec’ and click the + symbol to create a new tunnel
  • For the interface chose ‘WAN’, unless you are routing internal or something (the interface should have the same IP that you chose for the remote gateway on the Astaro).
  • Enter your local subnet, I chose my /48 here.
  • Enter remote gateway (again, WAN IPv6 from the astaro)
  • Phase 1: Use 3DES, MD5, DH Keygroup 5, Lifetime 7800, PreShared Key
  • Phase 2: 3DES, MD5, Lifetime 3600

These are the values taken from the pre-existing definition for 3DES on the Astaro. You could change that, but do it on both sides.

Sophos Utm Ipv6 Fritzbox

Now just create rules what traffic you want to allow through the tunnel and which not. Remember: Both sides must fit in order for traffic to go through.

All save, all encrypted, all IPv6.

Voilà: Enjoy your Site-to-Site IPv6 tunnel.

I found an issue with Sophos where I was unable to ping from my local network to a public IPv6 address even with the firewall rules in place to allow ICMPv6. The issue is when you enable NAT it enables for both IPv4 and IPv6. You need to create a NAT rule that ensures NAT will not apply to IPv6 and the issue will be resolved.

Sophos Utm Ipv6 Dhcp

You really shouldn’t have to use NAT with IPv6 given the amount of IP Addresses available. Comcast for instance was giving me my own /64 block. Which is 2^64 = 18,446,744,073,709,551,616 total addresses but that isn’t counting the network ID and subnet mask so really it’s 18,446,744,073,709,551,614 addresses for my own use. Why use NAT at that point?

Sophos Utm Ipv6 Prefix Delegation

You can view my post on the Sophos Community Forums HERE