PRODUCTS (HTTPS://WWW.SOPHOS.COM) SOLUTIONS (HTTPS://WWW.

S
(https://www.sophos.com) /SOLUTIONS.ASPX) PARTNERS (HTTPS://WWW.SOPH
US/PARTNERS.ASPX) COMPANY (HTTPS://WWW.SOPHOS.COM/EN-US/COMP
Search... LLO
OGGIIN
N
HOME (/SUPPORT/S/)

Sophos Firewall: Set a Site-to-Site IPsec VPN connection using a

preshared key
KB-000035717 2022年4月11日 3 people found this article helpful

English

Ove r v i ew
This article contains the steps to configure a site-to-site IPsec VPN connection using a preshared key as an authentication method for VPN
peers.

The following sections are covered:

 
• Configuring Sophos Firewall 1
• Configuring Sophos Firewall 2
• Establishing the IPsec connection
• Results

P ro d u c t a n d E nvi ro n m e nt
Sophos Firewall
 
C o n fi g u r i n g S o p h o s F i rewa l l 1

Add local and remote LAN

Go to H
Hoossttss aanndd S
Seerrvviicceess >> IIP
PHHoosstt and select A
Adddd to create the local LAN.

Go to H
Hoossttss aanndd S
Seerrvviicceess >> IIP
PHHoosstt and select A
Adddd to create the remote LAN.

 
Create an IPsec VPN connection
Go to VVP
PNN >> IIP
Psseecc C
Coonnnneeccttiioonnss and select W
Wiizzaarrdd. Give it a name and click S
Sttaarrtt to follow the wizard.
 

Select S Siittee TToo S

Siittee as a connection type and select H
Heeaadd
O
Offfificcee.
  

Set the A
Auutthheennttiiccaattiioonn TTyyppee to preshared key.
 

In the LLooccaall S
Suubbnneett field, select the local LAN created earlier.  

In the RReem
moottee S
Suubbnneett field, select the remote LAN created
 
earlier.

In the U
Usseerr A
Auutthheennttiiccaattiioonn M
Mooddee field, select D
Diissaabblleedd.  

Review the IPsec connection summary and click FFiinniisshh.  

By clicking FFiinniisshh, the following screen is displayed, showing the above-created connection.

Click the under S

Sttaattuuss ((A
Accttiivvee)) to start the connection.

 
Add two firewall rules allowing VPN traffic
Go to FFiirreew
waallll and click ++A
Adddd FFiirreew
waallll R
Ruullee. Create two user/network rules as shown below.
 
C o n fi g u r i n g S o p h o s F i rewa l l 2

Add local and remote LAN

Go to H
Hoossttss aanndd S
Seerrvviicceess >> IIP
PHHoosstt and select A
Adddd to create the local LAN.

Go to H
Hoossttss aanndd S
Seerrvviicceess >> IIP
PHHoosstt and select A
Adddd to create the remote LAN.

 
Create an IPsec VPN connection
Go to VVP
PNN >> IIP
Psseecc C
Coonnnneeccttiioonnss and select W
Wiizzaarrdd. Give it a name and click S
Sttaarrtt to follow the wizard.
 
Select S Siittee TToo S
Siittee as a connection type and select B
Brraanncchh
OOfffificcee.
 

Set the A
Auutthheennttiiccaattiioonn TTyyppee to preshared key.

Make sure to use the same preshared key as in Sophos Firewall

1.
 

In the LLooccaall S
Suubbnneett field, select the local LAN created earlier.   

In the RReem
moottee S
Suubbnneett field, select the remote LAN created
earlier.
 In the U
Usseerr A
Auutthheennttiiccaattiioonn M
Mooddee field, select D
Diissaabblleedd.  

Review the IPsec connection summary and click FFiinniisshh.  

By clicking FFiinniisshh, the following screen is displayed, showing the above-created connection.

Click the under S

Sttaattuuss ((A
Accttiivvee)) to start the connection.

 
Add two firewall rules allowing VPN traffic
Go to FFiirreew
waallll and click ++A
Adddd FFiirreew
waallll R
Ruullee. Create two user/network rules as shown below.
 
Establishing the IPsec connection
Once both Sophos Firewall devices at the head and branch offices are configured, establish the IPsec connection between them. Go to VVP
PNN >>

  IIP
Psseecc C
Coonnnneeccttiioonnss and click the under S
Sttaattuuss ((C
Coonnnneeccttiioonn)).
 
Results
A ping test from a device behind Sophos Firewall 1 to a device behind Sophos Firewall 2 and vice versa should work.
 

Go to FFiirreew
waallll and verify that VPN rules allow ingress and egress traffic.

Go to R
Reeppoorrttss >> VVP
PNN and verify the IPsec usage.
R E L AT E D A R T I C L E S

Sophos Firewall: Configure a Site-to-site IPsec VPN connection between Sophos Firewall and UTM using a preshared key (/support/s/article
258
/KB-000036746)

Click on the connection name for details.

Sophos Firewall: Establish a Site-to-Site IPsec VPN connection using digital certificates (/support/s/article/KB-000035715) 229

Sophos Firewall: How to establish a Site-to-Site IPsec VPN connection using RSA Keys (/support/s/article/KB-000035716) 115

Sophos Firewall: Apply NAT over a site-to-site IPsec VPN connection (/support/s/article/KB-000035848) 224

Sophos Firewall: Configure an IPsec VPN failover with multiple connections (/support/s/article/KB-000035828) 1.19K

Quick Links

Support Downloads

NNoottee:: Sample Submissions

 
Sophos Community
• Make sure that VPN firewall rules are on the top of the Firewall Rule list.
• In a head and branch office configuration, the Sophos Firewall on the branch office usually acts as the tunnel initiator and the Sophos
Sophos Labs
Firewall on the head office as a responder due to the following reasons:
◦ When the branch office device is configured with a dynamic IP address, the head office device cannot start the connection.
Sophos Trust Center
◦ As the branch offices' number vary, it is recommended that each branch office retry the connection instead of the head office retrying
all connections
Support to branch
Portal offices. 
User Guide
R
Reellaatteedd iinnffoorrm
maattiioonn
Twitter Support
• Sophos Firewall: How to enable IKEv2 for IPsec VPN (KB-000036987)
• Sophos Firewall: How to change firewall rule order (KB-000036669)
• Sophos Firewall: How to establish a Site-to-Site IPsec VPN connection using RSA Keys (KB-000035716)

Sign up to the Sophos Support Notification Service (https://centralstatus.sophos.com/smscodeverification) to get the latest product release
information and critical issues.

Previous Article ID: 123140

 Was this useful?
Yes No
W
Waanntt ttoo lleeaavvee uuss ssoom
mee ffeeeeddbbaacckk??
Please visit the Product Documentation Feedback (https://community.sophos.com/product-documentation/i/feedback)