bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md

Browse Source
This commit is contained in:
Nicole Rappe
2024-01-26 18:06:59 -07:00
parent 0260b681fe
commit c258df0cd8
1 changed files with 38 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md
View File

@ -6,18 +6,51 @@
## Login to the Firewall
You will need to access the firewall either directly on the local network at `https://<IP-of-Firewall>:4444` or remotely in Sophos Central.
## Configure an IPSec VPN Tunnel Initiator
## Configure an IPSec VPN Tunnel
Navigate to "**Configure > Site-to-Site VPN > Add**"
### General settings
| **Field** | **Value** |
| :--- | :--- |
| Name | `<ThisLocation> to <RemoteLocation>` |
| IP Version | `Dual` |
| Connection Type | `Tunnel Interface` |
| Connection Type | `Tunnel Interface` (*Also known as a "Route-Based VPN"*) |
| Gateway Type | `Initiate the Connection` / `Respond Only` (*See "Best Practices" Section*) |
| Encryption Profile | `Custom_IKEv2_Initiator` / `Custom_IKEv2_Responder` (*Based on the "Gateway Type"*) |
| Authentication Type | `Preshared Key` |
### Encryption
| **Field** | **Value** |
| :--- | :--- |
| Encryption Profile | `Custom_IKEv2_Initiator` / `Custom_IKEv2_Responder` (*Based on the "Gateway Type"*) |
| Authentication Type | `Preshared Key / Passphrase` |
### Gateway Settings
| **Field** | **Value** |
| :--- | :--- |
| Listening Interface | `<WAN Interface / Generally "Port2">` (*Internal IP Address*) |
| Gateway Address | `<Public IP of Remote Firewall>` |
| Local ID Type | `IP Address` (*Usually Optional*) |
| Remote ID Type | `<If the Remote Firewall has one, enter it, otherwise leave blank>` (*Usually Optional*)|
| Local Subnet | `<Leave Blank>` |
| Remote Subnet | `<Leave Blank>` |
!!! tip "Best Practices - Initiators / Responders"
If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
## Configure IPSec Encryption Profile
Navigate to "**System > Profiles > IPSec Profiles > Custom_IKEv2_`<Initiator>/<Responder>`**"
| **Field** | **Value** |
| :--- | :--- |
| Listening Interface | `<WAN Interface / Generally "Port2">` (*Internal IP Address*) |
| Gateway Address | `<Public IP of Remote Firewall>` |
| Local ID Type | `IP Address` |
| Remote ID Type | `<If the Remote Firewall has one, enter it, otherwise leave blank>` |
| Local Subnet | `<Leave Blank>` |
| Remote Subnet | `<Leave Blank>` |
## Connect the IPSec tunnels
Now you need to start the tunnel on the Initiator side first, then start the tunnel on the responder side. If both sides show green status indicators, the tunnel should be active.