**Purpose**: You may have two Sophos XGS appliances (or a mixed configuration) and need to set up a site-to-site VPN tunnel between two remote locations.  You can achieve this with a simple passphrase-based IPSec VPN tunnel.

!!! info "Assumptions"
    This documentation only provides instruction for Sophos XGS based devices.  It does not account for third-party vendors or other manufactured hardware.  If you need to set up a mixed VPN tunnel with a different brand of networking device, you need to do your best to match the settings on the tunnels manually.  (e.g. Encryption Type, Phase Lifetimes, etc).

## Login to the Firewall
You will need to access the firewall either directly on the local network at `https://<IP-of-Firewall>:4444` or remotely in Sophos Central.

## Configure an IPSec VPN Tunnel Initiator
Navigate to "**Configure > Site-to-Site VPN > Add**"

| **Field** | **Value** |
| :--- | :--- |
| Name | `<ThisLocation> to <RemoteLocation>` |
| IP Version | `Dual` |
| Connection Type | `Tunnel Interface` |
| Gateway Type | `Initiate the Connection` / `Respond Only` (*See "Best Practices" Section*) |
| Encryption Profile | `Custom_IKEv2_Initiator` / `Custom_IKEv2_Responder` (*Based on the "Gateway Type"*) |
| Authentication Type | `Preshared Key` | 


!!! tip "Best Practices - Initiators / Responders"
    If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.