bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md

Browse Source
This commit is contained in:
Nicole Rappe
2024-08-09 16:29:36 -06:00
parent d27fdf0fde
commit ffb7566879
1 changed files with 21 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
Networking/Sophos/IPSec Site-to-Site VPN Tunnel.md
View File

@ -3,6 +3,27 @@
!!! info "Assumptions" !!! info "Assumptions"
This documentation only provides instruction for Sophos XGS based devices. It does not account for third-party vendors or other manufactured hardware. If you need to set up a mixed VPN tunnel with a different brand of networking device, you need to do your best to match the settings on the tunnels manually. (e.g. Encryption Type, Phase Lifetimes, etc). This documentation only provides instruction for Sophos XGS based devices. It does not account for third-party vendors or other manufactured hardware. If you need to set up a mixed VPN tunnel with a different brand of networking device, you need to do your best to match the settings on the tunnels manually. (e.g. Encryption Type, Phase Lifetimes, etc).
## Architecture
!!! tip "Best Practices - Initiators / Responders"
If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
``` mermaid
graph TB
Responder((Responder))
Initiator1((Initiator (Remote Site)))
Initiator2((Initiator (Remote Site)))
Initiator3((Initiator (Remote Site)))
Initiator4((Initiator (Remote Site)))
Initiator5((Initiator (Remote Site)))
Responder --> Initiator1
Responder --> Initiator2
Responder --> Initiator3
Responder --> Initiator4
Responder --> Initiator5
```
## Login to the Firewall ## Login to the Firewall
You will need to access the firewall either directly on the local network at `https://<IP-of-Firewall>:4444` or remotely in Sophos Central. You will need to access the firewall either directly on the local network at `https://<IP-of-Firewall>:4444` or remotely in Sophos Central.
@ -36,25 +57,6 @@ Navigate to "**Configure > Site-to-Site VPN > Add**"
| Local Subnet | `<Leave Blank>` | | Local Subnet | `<Leave Blank>` |
| Remote Subnet | `<Leave Blank>` | | Remote Subnet | `<Leave Blank>` |
!!! tip "Best Practices - Initiators / Responders"
If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
``` mermaid
graph TB
Responder((Responder))
Initiator1((Initiator (Remote Site)))
Initiator2((Initiator (Remote Site)))
Initiator3((Initiator (Remote Site)))
Initiator4((Initiator (Remote Site)))
Initiator5((Initiator (Remote Site)))
Responder --> Initiator1
Responder --> Initiator2
Responder --> Initiator3
Responder --> Initiator4
Responder --> Initiator5
```
!!! note "Tunnel IDs / Subnets" !!! note "Tunnel IDs / Subnets"
If one side of the tunnel indicates a Local ID, you need to input that as the Remote ID on the other end of the tunnel. While Tunnel IDs are generally optional, if one side uses them, both need to. If one side of the tunnel indicates a Local ID, you need to input that as the Remote ID on the other end of the tunnel. While Tunnel IDs are generally optional, if one side uses them, both need to.