Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-policy-based-IPsec

Create a policy-based IPsec VPN using preshared key

You can configure an IPsec VPN between the head office and a branch office.

In this example, we've used a preshared key for authentication.

Network diagram

Network diagram IPsec VPN digital certificates.

Head office configuration

Configure the LANs

Create hosts for the head office and branch office networks at the head office.

  1. Go to Hosts and services > IP host and click Add.

  2. Configure the IP hosts for the local and remote subnets as follows:

    Setting IP host 1 IP host 2
    Name HQ_LAN Branch_LAN
    IP version IPv4 IPv4
    Type Network Network
    IP address 192.10.10.0 192.20.20.0

  3. Click Save.

Add an IPsec connection

Create and activate an IPsec connection at the head office.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Select IPv4.
  4. Select Create firewall rule.
  5. Set Connection type to Site-to-site.

  6. Set Gateway type to Respond only.

    The head office firewall usually acts as the responder, and the branch office firewalls as tunnel initiators because they are many. We recommend that each branch office retry the connection instead of the head office retrying all connections to branch offices.

    General settings.

  7. Set Profile to Head office (IKEv2).

    IKEv2 allows you to have unique preshared keys for unique local-remote ID combinations.

  8. Set Authentication type to Preshared key.

  9. Enter the preshared key and repeat it.

    Note the preshared key. You'll need to paste it in the branch office firewall's connection.

    Encryption settings.

  10. For Listening interface, select the local interface Port1 - 172.10.10.1.

  11. Set Local ID type to IP address.

    You can select DNS, IP address, or email. The values are only for identification and don't have to be valid values in your network.

  12. For Local ID, enter 1.1.1.1.

  13. For Local subnet, select the local IP host you configured.

    Local gateway settings.

  14. Under Remote gateway, for Gateway address, enter the branch office gateway 172.20.20.1.

  15. Set Remote ID type to IP address.
  16. For Remote ID, enter 2.2.2.2.

  17. For Remote subnet, select the remote IP host you configured.

    Remote gateway settings.

  18. Click Save.

    The connection appears on the list of IPsec connections.

  19. Click the status button Activate or deactivate connection. to activate the connection.

    Activate the connection.

Edit firewall rule to create inbound rule

Edit the automatically created firewall rule when you saved the IPsec connection. You'll save it as a rule to allow inbound VPN traffic. Since you've set the IPsec connection to Respond only, you need a firewall rule to allow inbound traffic from the branch office.

  1. Go to Rules and policies > Firewall rules and click the IPsec HQ to Branch rule.

    Select the rule.

  2. (Optional) Change the rule name.

  3. Set Source zones to VPN.
  4. Set Source networks and devices to Branch_LAN.
  5. Set Destination zones to LAN.
  6. Set Destination networks to HQ_LAN.

  7. Click Save.

    Inbound firewall rule.

Note

If you already have a firewall rule to allow inbound VPN traffic, you can add the remote subnet to its Source networks and devices and the local subnet to Destination networks. You don't need to create an independent firewall rule for each IPsec connection.

Allow ping through VPN

To check tunnel connectivity, you can ping a remote IP address through the VPN connection you created.

  1. Go to Administration > Device access.
  2. Under Ping/Ping6, select VPN.
  3. Click Apply.

Branch office configuration

Configure the LANs

Create the hosts for the branch office and head office networks at the branch office.

  1. Go to Hosts and services > IP host and click Add.

  2. Configure the IP hosts for the local and remote subnets as follows:

    Setting IP host 1 IP host 2
    Name Branch_LAN HQ_LAN
    IP version IPv4 IPv4
    Type Network Network
    IP address 192.20.20.0 192.10.10.0

  3. Click Save.

Add an IPsec connection

You create and activate an IPsec connection at the branch office.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Select IPv4.
  4. Select Create firewall rule.
  5. Set Connection type to Site-to-site.

  6. Set Gateway type to Initiate the connection.

    General settings.

  7. Set Profile to Branch office (IKEv2).

  8. Set Authentication type to Preshared key.

  9. Paste the preshared key you've used in the head office firewall and repeat it.

    Encryption settings.

  10. For Listening interface, select the local interface Port1 - 172.20.20.1.

  11. Set Local ID type to IP address.

    You must select the ID type you've selected in the head office firewall.

  12. For Local ID, enter 2.2.2.2.

  13. For Local subnet, select the local IP host you configured.

    Local gateway settings.

  14. Under Remote gateway, for Gateway address, enter the head office gateway (172.10.10.1).

  15. Set Remote ID type to IP address.
  16. For Remote ID, enter 1.1.1.1.

  17. For Remote subnet, select the remote IP host you configured.

    Remote gateway settings.

  18. Click Save.

    The connection appears on the list of IPsec connections.

  19. Click Status Button to activate or deactivate connection. to activate the connection.

Edit firewall rule to create outbound rule

Edit the automatically created firewall rule when you saved the IPsec connection. You'll save it as a rule to allow outbound VPN traffic. because you've set the IPsec connection to initiate the connection.

  1. Go to Rules and policies > Firewall rules and click the IPsec Branch to HQ rule.
  2. (Optional) Change the rule name.
  3. Set Source zones to LAN.
  4. Set Source networks and devices to Branch_LAN.
  5. Set Destination zones to VPN.
  6. Set Destination networks to HQ_LAN.

  7. Click Save.

    Outbound firewall rule.

Note

If you already have a firewall rule to allow outbound VPN traffic, you can add the local subnet to its Source networks and devices and the remote subnet to Destination networks.

Allow ping through VPN

  1. Go to Administration > Device access.
  2. Under Ping/Ping6, select VPN.
  3. Click Apply.

Check tunnel's connectivity

  • In the head office and branch office firewalls, check that you can ping the remote subnet.

    Example

    On the CLI, enter 5 for Device console, then enter 3 for Advanced shell.

    In the head office firewall, enter the following command: ping 192.20.20.2

    In the branch office firewall, enter the following command: ping 192.10.10.2

  • Click Rules and policies and go to the firewall rule you created to see the traffic.