2.9 KiB
Purpose: You may have two Sophos XGS appliances (or a mixed configuration) and need to set up a site-to-site VPN tunnel between two remote locations. You can achieve this with a simple passphrase-based IPSec VPN tunnel.
!!! info "Assumptions" This documentation only provides instruction for Sophos XGS based devices. It does not account for third-party vendors or other manufactured hardware. If you need to set up a mixed VPN tunnel with a different brand of networking device, you need to do your best to match the settings on the tunnels manually. (e.g. Encryption Type, Phase Lifetimes, etc).
Login to the Firewall
You will need to access the firewall either directly on the local network at https://<IP-of-Firewall>:4444 or remotely in Sophos Central.
Configure an IPSec VPN Tunnel
Navigate to "Configure > Site-to-Site VPN > Add"
General settings
| Field | Value |
|---|---|
| Name | <ThisLocation> to <RemoteLocation> |
| IP Version | Dual |
| Connection Type | Tunnel Interface (Also known as a "Route-Based VPN") |
| Gateway Type | Initiate the Connection / Respond Only (See "Best Practices" Section) |
Encryption
| Field | Value |
|---|---|
| Encryption Profile | Custom_IKEv2_Initiator / Custom_IKEv2_Responder (Based on the "Gateway Type") |
| Authentication Type | Preshared Key / Passphrase |
Gateway Settings
| Field | Value |
|---|---|
| Listening Interface | <WAN Interface / Generally "Port2"> (Internal IP Address) |
| Gateway Address | <Public IP of Remote Firewall> |
| Local ID Type | IP Address (Usually Optional) |
| Remote ID Type | <If the Remote Firewall has one, enter it, otherwise leave blank> (Usually Optional) |
| Local Subnet | <Leave Blank> |
| Remote Subnet | <Leave Blank> |
!!! tip "Best Practices - Initiators / Responders" If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
Configure IPSec Encryption Profile
Navigate to "System > Profiles > IPSec Profiles > Custom_IKEv2_<Initiator>/<Responder>"
| Field | Value |
|---|---|
| Listening Interface | <WAN Interface / Generally "Port2"> (Internal IP Address) |
| Gateway Address | <Public IP of Remote Firewall> |
| Local ID Type | IP Address |
| Remote ID Type | <If the Remote Firewall has one, enter it, otherwise leave blank> |
| Local Subnet | <Leave Blank> |
| Remote Subnet | <Leave Blank> |
Connect the IPSec tunnels
Now you need to start the tunnel on the Initiator side first, then start the tunnel on the responder side. If both sides show green status indicators, the tunnel should be active.