23 lines
1.6 KiB
Markdown
23 lines
1.6 KiB
Markdown
**Purpose**: You may have two Sophos XGS appliances (or a mixed configuration) and need to set up a site-to-site VPN tunnel between two remote locations. You can achieve this with a simple passphrase-based IPSec VPN tunnel.
|
|
|
|
!!! info "Assumptions"
|
|
This documentation only provides instruction for Sophos XGS based devices. It does not account for third-party vendors or other manufactured hardware. If you need to set up a mixed VPN tunnel with a different brand of networking device, you need to do your best to match the settings on the tunnels manually. (e.g. Encryption Type, Phase Lifetimes, etc).
|
|
|
|
## Login to the Firewall
|
|
You will need to access the firewall either directly on the local network at `https://<IP-of-Firewall>:4444` or remotely in Sophos Central.
|
|
|
|
## Configure an IPSec VPN Tunnel Initiator
|
|
Navigate to "**Configure > Site-to-Site VPN > Add**"
|
|
|
|
| **Field** | **Value** |
|
|
| :--- | :--- |
|
|
| Name | `<ThisLocation> to <RemoteLocation>` |
|
|
| IP Version | `Dual` |
|
|
| Connection Type | `Tunnel Interface` |
|
|
| Gateway Type | `Initiate the Connection` / `Respond Only` (*See "Best Practices" Section*) |
|
|
| Encryption Profile | `Custom_IKEv2_Initiator` / `Custom_IKEv2_Responder` (*Based on the "Gateway Type"*) |
|
|
| Authentication Type | `Preshared Key` |
|
|
|
|
|
|
!!! tip "Best Practices - Initiators / Responders"
|
|
If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators. |