We have an existing XG 135 at our main office and have an XGS 136 at a branch office. We're thinking about creating a Site-to-Site link between them.
I've watched a video about it (https://techvids.sophos.com/watch/K1Vew1V3e1Pgu3f2fG2K2p) and note that the IP address of the branch office is entered into the main office configuration. We don't have a static IP address at the branch office, would a dynamic DNS host name work?
Also, we would rather the connection from the branch office is unidirectional so it allows access to servers in the main office in the same way as if using Sophos Connect on a client PC. We don't need or want to be able to access the branch office from the main office network. Is this possible, and if so do we need to do any configuration on the main office UTM as IPsec is already configured for remote access? Can the secondary UTM simply act as a client to that?
Hi Alan, Thanks for reaching out to Sophos Community.
You can use a DynamicDNS on the branch firewall and define it in the HQ Firewall as the remote gateway. Configure HQ firewall as Responder and Branch FW as Initiator. I have seen scenarios where this setup works.
For the unidirectional communication, on the Branch firewall, you can do this just by adding only one LAN to VPN rule that'll allow traffic from your local LAN to the Remote network over VPN. All the available options for VPN that connect two Firewalls apart from IPSEC (RED Site to Site and SSL VPN Site to Site), works by adding routes to access the remote location. So there's no site-to-site connection option available that is by default unidirectional only. :)
Hope this helps..
That is very helpful.
I am revisiting this and had a first attempt at the connection between the two sites.
These are the steps that I tried using the wizard at both ends:
Head Office UTM
1. Site-to-site with "Head office" as base location which selected DefaultHeadOffice policy and RespondOnly action.
2. Set pre-shared key.
3. Selected existing hosts in "local network details" that the branch office should be able to access at head office.
4. Did not want to select anything for "remote network details" as I don't want head office to be able to access branch office. However, it was a mandatory option and I selected a host that does not exist at the branch side.
5. User authentication left as disabled.
Branch Office UTM
1. Site-to-site with "Branch office" as base location which selected DefaultBranchOffice policy and Initiate action.
2. Used same pre-shared key as set for head office.
3. Did not want to selected anything for "local network details" for same reason as I did not want to set "remote network details" in head office but had to select something - I chose an arbitrary host for now.
4. Defined head office hosts to match those selected in head office configuration. These were selected in "remote network details".
I was able to activate both ends but neither could connect and gave the message "IPsec connection could not be established". I did not create any new firewall rules but there was already one configured for the remote IPsec configuration.
I would appreciate your advice on what I may have done wrong in this first attempt. Note that it is important that the head office can't access the branch office so in particular I would like to know the appropriate way to handle the "remote network details" at head office end and "local network details" at branch end in the wizards.