From c258df0cd80d24d8aaa33116b5e1df886be989ee Mon Sep 17 00:00:00 2001
From: Nicole Rappe <cyberstrawberry101@gmail.com>
Date: Fri, 26 Jan 2024 18:06:59 -0700
Subject: [PATCH] Update Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md

---
 .../Sophos/IPSec Site-to-Site VPN Tunnel.md   | 43 ++++++++++++++++---
 1 file changed, 38 insertions(+), 5 deletions(-)

diff --git a/Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md b/Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md
index 633eef5..b1b3582 100644
--- a/Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md	
+++ b/Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md	
@@ -6,18 +6,51 @@
 ## Login to the Firewall
 You will need to access the firewall either directly on the local network at `https://<IP-of-Firewall>:4444` or remotely in Sophos Central.
 
-## Configure an IPSec VPN Tunnel Initiator
+## Configure an IPSec VPN Tunnel
 Navigate to "**Configure > Site-to-Site VPN > Add**"
 
+### General settings
+
 | **Field** | **Value** |
 | :--- | :--- |
 | Name | `<ThisLocation> to <RemoteLocation>` |
 | IP Version | `Dual` |
-| Connection Type | `Tunnel Interface` |
+| Connection Type | `Tunnel Interface` (*Also known as a "Route-Based VPN"*) |
 | Gateway Type | `Initiate the Connection` / `Respond Only` (*See "Best Practices" Section*) |
-| Encryption Profile | `Custom_IKEv2_Initiator` / `Custom_IKEv2_Responder` (*Based on the "Gateway Type"*) |
-| Authentication Type | `Preshared Key` | 
 
+### Encryption
+
+| **Field** | **Value** |
+| :--- | :--- |
+| Encryption Profile | `Custom_IKEv2_Initiator` / `Custom_IKEv2_Responder` (*Based on the "Gateway Type"*) |
+| Authentication Type | `Preshared Key / Passphrase` | 
+
+### Gateway Settings
+
+| **Field** | **Value** |
+| :--- | :--- |
+| Listening Interface | `<WAN Interface / Generally "Port2">` (*Internal IP Address*) |
+| Gateway Address | `<Public IP of Remote Firewall>` |
+| Local ID Type | `IP Address` (*Usually Optional*) | 
+| Remote ID Type | `<If the Remote Firewall has one, enter it, otherwise leave blank>` (*Usually Optional*)|
+| Local Subnet | `<Leave Blank>` |
+| Remote Subnet | `<Leave Blank>` |
 
 !!! tip "Best Practices - Initiators / Responders"
-    If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
\ No newline at end of file
+    If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
+
+## Configure IPSec Encryption Profile
+Navigate to "**System > Profiles > IPSec Profiles > Custom_IKEv2_`<Initiator>/<Responder>`**"
+
+| **Field** | **Value** |
+| :--- | :--- |
+| Listening Interface | `<WAN Interface / Generally "Port2">` (*Internal IP Address*) |
+| Gateway Address | `<Public IP of Remote Firewall>` |
+| Local ID Type | `IP Address` | 
+| Remote ID Type | `<If the Remote Firewall has one, enter it, otherwise leave blank>` |
+| Local Subnet | `<Leave Blank>` |
+| Remote Subnet | `<Leave Blank>` |
+
+## Connect the IPSec tunnels
+Now you need to start the tunnel on the Initiator side first, then start the tunnel on the responder side.  If both sides show green status indicators, the tunnel should be active.
+