Add Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md

Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md

@@ -0,0 +1,23 @@
+**Purpose**: You may have two Sophos XGS appliances (or a mixed configuration) and need to set up a site-to-site VPN tunnel between two remote locations.  You can achieve this with a simple passphrase-based IPSec VPN tunnel.
+
+!!! info "Assumptions"
+    This documentation only provides instruction for Sophos XGS based devices.  It does not account for third-party vendors or other manufactured hardware.  If you need to set up a mixed VPN tunnel with a different brand of networking device, you need to do your best to match the settings on the tunnels manually.  (e.g. Encryption Type, Phase Lifetimes, etc).
+
+## Login to the Firewall
+You will need to access the firewall either directly on the local network at `https://<IP-of-Firewall>:4444` or remotely in Sophos Central.
+
+## Configure an IPSec VPN Tunnel Initiator
+Navigate to "**Configure > Site-to-Site VPN > Add**"
+
+| **Field** | **Value** |
+| :--- | :--- |
+| Name | `<ThisLocation> to <RemoteLocation>` |
+| IP Version | `Dual` |
+| Connection Type | `Tunnel Interface` |
+| Gateway Type | `Initiate the Connection` / `Respond Only` (*See "Best Practices" Section*) |
+| Encryption Profile | `Custom_IKEv2_Initiator` / `Custom_IKEv2_Responder` (*Based on the "Gateway Type"*) |
+| Authentication Type | `Preshared Key` | 
+
+
+!!! tip "Best Practices - Initiators / Responders"
+    If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.