Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Site-to-site VPN

You can configure policy-based (host-to-host and site-to-site) IPsec VPNs, route-based IPsec VPNs, and SSL VPNs. You can also create RED tunnels between the main office and the branch offices.

IPsec VPN

Policy-based VPN: Encrypts traffic passing through the listening interface based on the firewall rule and the local and remote subnets specified in the matching IPsec connection. Use these to connect small networks.

Route-based VPN: Encrypts traffic passing through the virtual tunnel interfaces established based on the configuration. Static, dynamic, and SD-WAN policy routes determine the traffic sent through these interfaces. Use these to connect large, dynamic networks.

Prerequisites for policy-based and route-based IPsec connections: Use the default IPsec profiles or create custom profiles for the phase 1 and phase 2 security settings.

Post-requisites for policy-based and route-based IPsec connections: Optionally, add a VPN failover group to configure redundant tunnels.

Route system-generated traffic through IPsec tunnels:

SSL VPN

Site-to-site SSL VPN: Establishes SSL/TLS connections between two Sophos Firewall devices in a client-server configuration.

RED tunnels

Remote Ethernet Device (RED): Provides a secure tunnel between a remote site and Sophos Firewall. You can configure and install RED appliances. Alternatively, you can create a site-to-site RED tunnel between two Sophos Firewall devices in a client-server configuration.

More resources