Setting up site-to-site on Sophos XG
  • 1 Minute to read

Setting up site-to-site on Sophos XG


Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

Configuring at the Sophos XG Interface

  1. Go to the Sophos XG interface and add a local and remote LAN

  2. Go to Hosts and Services > IP Host and select Add to create the local LAN

01 Setting up site-to-site on Sophos XG.png

  1. Go to Hosts and Services > IP Host and select Add to create the NordLayer LAN (10.6.0.0/20)

02 Setting up site-to-site on Sophos XG.png

  1. Create an IPsec VPN connection

  2. Go to VPN > IPsec Connections and select Wizard.

03 Setting up site-to-site on Sophos XG.png

  1. Give it a name and description

04 Setting up site-to-site on Sophos XG.png

  1. Click Start to follow the wizard

05 Setting up site-to-site on Sophos XG.png

  1. Select Site To Site as a connection type and select Head Office

06 Setting up site-to-site on Sophos XG.png

  1. Set the Authentication Type to preshared key (generate this value as we will also need this value on our end)

07 Setting up site-to-site on Sophos XG.png

08 Setting up site-to-site on Sophos XG.png

09 Setting up site-to-site on Sophos XG.png

  1. In the User Authentication Mode field, choose Disabled

  2. Review the IPsec connection summary and click Finish

  3. Click the Status (Active) to activate the connection

10 Setting up site-to-site on Sophos XG.png

  1. Add two firewall rules allowing VPN traffic

  2. Go to Firewall and click +Add Firewall Rule

11 Setting up site-to-site on Sophos XG.png

  1. Create two user/network rules as shown below

First Rule:

12 Setting up site-to-site on Sophos XG.png

13 Setting up site-to-site on Sophos XG.png

14 Setting up site-to-site on Sophos XG.png

Click Save.

Second Rule:

15 Setting up site-to-site on Sophos XG.png

16 Setting up site-to-site on Sophos XG.png

17 Setting up site-to-site on Sophos XG.png

Click Save.

Ending note:

In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Was this article helpful?