From 0260b681fe24e382d9d721de3dffc54fde40643d Mon Sep 17 00:00:00 2001
From: Nicole Rappe <cyberstrawberry101@gmail.com>
Date: Fri, 26 Jan 2024 17:50:33 -0700
Subject: [PATCH] Add Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md

---
 .../Sophos/IPSec Site-to-Site VPN Tunnel.md   | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md

diff --git a/Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md b/Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md
new file mode 100644
index 0000000..633eef5
--- /dev/null
+++ b/Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md	
@@ -0,0 +1,23 @@
+**Purpose**: You may have two Sophos XGS appliances (or a mixed configuration) and need to set up a site-to-site VPN tunnel between two remote locations.  You can achieve this with a simple passphrase-based IPSec VPN tunnel.
+
+!!! info "Assumptions"
+    This documentation only provides instruction for Sophos XGS based devices.  It does not account for third-party vendors or other manufactured hardware.  If you need to set up a mixed VPN tunnel with a different brand of networking device, you need to do your best to match the settings on the tunnels manually.  (e.g. Encryption Type, Phase Lifetimes, etc).
+
+## Login to the Firewall
+You will need to access the firewall either directly on the local network at `https://<IP-of-Firewall>:4444` or remotely in Sophos Central.
+
+## Configure an IPSec VPN Tunnel Initiator
+Navigate to "**Configure > Site-to-Site VPN > Add**"
+
+| **Field** | **Value** |
+| :--- | :--- |
+| Name | `<ThisLocation> to <RemoteLocation>` |
+| IP Version | `Dual` |
+| Connection Type | `Tunnel Interface` |
+| Gateway Type | `Initiate the Connection` / `Respond Only` (*See "Best Practices" Section*) |
+| Encryption Profile | `Custom_IKEv2_Initiator` / `Custom_IKEv2_Responder` (*Based on the "Gateway Type"*) |
+| Authentication Type | `Preshared Key` | 
+
+
+!!! tip "Best Practices - Initiators / Responders"
+    If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
\ No newline at end of file