bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md

Browse Source
This commit is contained in:
Nicole Rappe
2024-01-26 18:16:14 -07:00
parent c258df0cd8
commit 3eee7601f9
1 changed files with 11 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md
View File

@ -39,17 +39,22 @@ Navigate to "**Configure > Site-to-Site VPN > Add**"
!!! tip "Best Practices - Initiators / Responders" !!! tip "Best Practices - Initiators / Responders"
If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators. If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
!!! note "Tunnel IDs / Subnets"
If one side of the tunnel indicates a Local ID, you need to input that as the Remote ID on the other end of the tunnel. While Tunnel IDs are generally optional, if one side uses them, both need to.
- "Route-Based" VPNs do not need subnets indicated / configured
- "Policy-based" VPNs require subnets indicated / configured
## Configure IPSec Encryption Profile ## Configure IPSec Encryption Profile
Navigate to "**System > Profiles > IPSec Profiles > Custom_IKEv2_`<Initiator>/<Responder>`**" Navigate to "**System > Profiles > IPSec Profiles > Custom_IKEv2_`<Initiator>/<Responder>`**"
| **Field** | **Value** | | **Field** | **Value** |
| :--- | :--- | | :--- | :--- |
| Listening Interface | `<WAN Interface / Generally "Port2">` (*Internal IP Address*) | | Phase 1 Lifetime | `<Longer Lifetime Compared to Phase 2>` (*If Initiator*) |
| Gateway Address | `<Public IP of Remote Firewall>` | | Phase 2 Lifetime | `<Shorter Lifetime Compared to Phase 1>` (*If Initiator*) |
| Local ID Type | `IP Address` |
| Remote ID Type | `<If the Remote Firewall has one, enter it, otherwise leave blank>` | !!! warning "Remote / Local Phase Lifetimes"
| Local Subnet | `<Leave Blank>` | Within the context of the remote and local VPN tunnels, the lifetime of the Phase 1 and Phase 2 encryption keys needs to be shorter on the intiator than the responder sides of the VPN tunnel.
| Remote Subnet | `<Leave Blank>` |
## Connect the IPSec tunnels ## Connect the IPSec tunnels
Now you need to start the tunnel on the Initiator side first, then start the tunnel on the responder side. If both sides show green status indicators, the tunnel should be active. Now you need to start the tunnel on the Initiator side first, then start the tunnel on the responder side. If both sides show green status indicators, the tunnel should be active.