Sophos XG IPsec VPN to Google Cloud Platform

Just a very quick how-to


Let's concentrate on the Google Cloud Platform first:

Navigate to Networking>Hybrid Connections>VPN and click on the +Create button 

  • Name: Anything lowercase , numbers and hyphens (no spaces)
  • Description: Go nuts
  • Network: Either pick your virtual network or use "Default"
  • Region: Same region as your VM's/services
  • IP address: If you already have a reservation here and its free you can pick it, or create new reservation by clicking "create IP Address" 

In the Tunnels Section:

  • Name: Anything lowercase , numbers and hyphens (no spaces)
  • Description: Again go nuts
  • Remote peer IP address: your XG's external IP
  • IKE version: IKEv2 
  • Shared Secret: enter a secret here or click "Generate" (and copy it someplace safe as we will need this a little later)
  • Routing options: Policy base - enter your remote and local networks

Click done and the platform will spin the VPN config into life.


On your XG Navigate to Configure>VPN> IPsec Connections:

  • Click Add
  • Name: something suitable please :)
  • Description: 
  • IP Version: IPv4
  • Connection Type: Site-to-Site
  • Gateway Type: Respond Only
  • Policy: Cloned/modified IKEv2 - *See notes below, save and use your cloned policy
  • Authentication Type: Preshared Key - And add the secret you either entered or generated earlier 
  • Local Gateway: your WAN Port/IP
  • Local ID TYPE/Local ID - not used
  • Gateway Address: Your Google IP Address (you can find this on your GCP VPN page)
  • Remote ID Type/ Remote ID - not used
  • Add your local & remote networks as needed


*With the default IKEv2 policy I could not get the tunnel up - luckily looking at the logs showed that the GCP end only wanted to use DH2048 so cloning the IKEv2 policy and removing all but  DH2048 out of the DH Group selection fixed this.

Once complete, save and switch on the VPN. The Google end may take a little time at first to bring up the tunnel and you may see "Waiting for full config" for a few mins before it successfully reports its up.

Don't forget your firewall rules.

Hope this helps, regards