Greetings and thanks for reading!
I'll have to start by asking for some patience as I'm new to the Sophos firewall platform. I'm going to provide a lot of detail to make sure I dont miss something important. I work for a small university and am trying to establish a VPN tunnel between our main campus and an annex location. The main campus currently has a Sonicwall SuperMassive 9200 (which will be replaced by a Sophos XGS 4500 - but that's down the road).
I've run through the initial setup on the Sophos using the setup wizard and set the firewall to run in Router mode.
Here's my current config:
Main Campus
WAN IP : 64.x.x.x
LAN IP: 205.x.x.x/29
Local subnets: 10.193.x.x, 10.1.x.x, 10.160.x.x, 172.17.x.x, 172.19.x.x
*these subnets must be able to traverse the VPN. The 172.x.x.x subnets are Wi-Fi addresses that are only assigned from the DCs at the main campus.
Annex
WAN IP: 23.x.x.x
LAN IP: 10.192.x.x/24
Local Subnets: 10.234.x.x, 10.162.x.x, 10.1.x.x
I have already done a lot of digging into how to connect the tunnel between the Sophos and Sonicwall and have created the following IPsec Profile:

I've created matching entries on the Sonicwall and adjusted the key life to avoid collisions.
I've created the IPsec connection using the profile. I've set the Sophos as the initiator, provided the pre-shared key, set the listening port to the Sophos WAN port and entered the Sonicwall WAN IP as the Remote Gateway.
I have added a firewall rule to allow VPN traffic from 205.x.x.x/29 to LAN @ 10.192.x.x/24
****Now, we can finally get to my questions!****
I need to assign an IP address to the XFRM1 virtual interface. Does it matter what this address is? In the examples I've seen, addresses such as 3.3.3.3 or 4.4.4.4 were assigned, but these are vaild public IP addresses. Does it matter?
Do I need to add the local subnets into the firewall rule mentioned above? For example, does 10.160.x.x from the Main Campus need to also be added into the allowed traffic from VPN? Likewise, does 10.234.x.x from the Annex need to be added to the LAN portion of the rule?
I know that I will then need to create a static route, but from what to what? Do I only create a route from 205.x.x.x/29 to the XFRM1 interface, or do I need to create a route for each possible subnet on the Main Campus through the XFRM1?
Furthermore, since I have multiple local subnets behind the Sophos XGS, do I need to create routes for each of those through the LAN interface?
Thank you so much for reading though this rather lengthy post for what is probably basic knowledge in this realm!
This thread was automatically locked due to age.