Tunnel Creation
Purpose: You may have two Sophos XGS appliances (or a mixed configuration) and need to set up a site-to-site VPN tunnel between two remote locations. You can achieve this with a simple passphrase-based IPSec VPN tunnel.
Assumptions
This documentation only provides instruction for Sophos XGS based devices. It does not account for third-party vendors or other manufactured hardware. If you need to set up a mixed VPN tunnel with a different brand of networking device, you need to do your best to match the settings on the tunnels manually. (e.g. Encryption Type, Phase Lifetimes, etc).
Architecture¶
Best Practices - Initiators / Responders
If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
graph TB
Responder((Responder<br/>Headquarters))
Initiator1((Initiator<br/>Remote Site 1))
Initiator2((Initiator<br/>Remote Site 2))
Initiator3((Initiator<br/>Remote Site 3))
Initiator4((Initiator<br/>Remote Site 4))
Initiator5((Initiator<br/>Remote Site 5))
Initiator1 --> Responder
Initiator2 --> Responder
Initiator3 --> Responder
Initiator4 --> Responder
Initiator5 --> ResponderLogin to the Firewall¶
You will need to access the firewall either directly on the local network at https://<IP-of-Firewall>:4444 or remotely in Sophos Central.
Configure an IPSec VPN Tunnel¶
Navigate to "Configure > Site-to-Site VPN > Add"
General settings¶
| Field | Value |
|---|---|
| Name | <ThisLocation> to <RemoteLocation> |
| IP Version | Dual |
| Connection Type | Tunnel Interface (Also known as a "Route-Based VPN") |
| Gateway Type | Initiate the Connection / Respond Only (See "Best Practices" Section) |
Encryption¶
| Field | Value |
|---|---|
| Encryption Profile | Custom_IKEv2_Initiator / Custom_IKEv2_Responder (Based on the "Gateway Type") |
| Authentication Type | Preshared Key / Passphrase |
Gateway Settings¶
| Field | Value |
|---|---|
| Listening Interface | <WAN Interface / Generally "Port2"> (Internal IP Address) |
| Gateway Address | <Public IP of Remote Firewall> |
| Local ID Type | IP Address (Usually Optional) |
| Remote ID Type | <If the Remote Firewall has one, enter it, otherwise leave blank> (Usually Optional) |
| Local Subnet | <Leave Blank> |
| Remote Subnet | <Leave Blank> |
Tunnel IDs / Subnets
If one side of the tunnel indicates a Local ID, you need to input that as the Remote ID on the other end of the tunnel. While Tunnel IDs are generally optional, if one side uses them, both need to.
- "Route-Based" VPNs do not need subnets indicated / configured
- "Policy-based" VPNs require subnets indicated / configured
Configure IPSec Encryption Profile¶
Navigate to "System > Profiles > IPSec Profiles > Custom_IKEv2_<Initiator>/<Responder>"
Explanation of Phases and their Relation to Initiators/Responders
Phase 1 could be described as establishing the initial tunnel's connectivity from the Initiator to the Responder. (Local to Remote). While phase 2 would be considered individual devices establishing connections through the VPN tunnel. (Individual Endpoint Connectivity).
The responder's phase 1 & 2 lifetime values are 300 seconds longer than the initiator's phase 1 & 2 lifetime values.
| Field | Value | Notes |
|---|---|---|
| Phase 1 Lifetime | Default Value: 28800 | <Longer Lifetime Compared to Phase 2> |
| Phase 2 Lifetime | Default Value: 14400 | <Shorter Lifetime Compared to Phase 1> |
| Field | Value | Notes |
|---|---|---|
| Phase 1 Lifetime | Default Value + 300 Seconds: 328800 | <Longer Lifetime Compared to Phase 2> |
| Phase 2 Lifetime | Default Value + 300 Seconds: 314400 | <Shorter Lifetime Compared to Phase 1> |
Remote / Local Phase Lifetimes
Within the context of the remote and local VPN tunnels, the lifetime of the Phase 1 and Phase 2 encryption keys needs to be shorter on the intiator than the responder sides of the VPN tunnel.
Repeat Steps on Remote Firewall¶
You will need to repeat the steps on both firewalls, so one firewall is the initiator, and one is configured as the responder. Keep special note of the admonitions regarding initiator / responder / local / remote differences.
Connect the IPSec Tunnels¶
Now you need to start the tunnel on the Initiator side first, then start the tunnel on the responder side. If both sides show green status indicators, the tunnel should be active.