Setting up site-to-site on Sophos XG

Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

Configuring at the Sophos XG Interface

1. Go to the Sophos XG interface and add a local and remote LAN

2. Go to Hosts and Services > IP Host and select Add to create the local LAN

3. Go to Hosts and Services > IP Host and select Add to create the NordLayer LAN (10.6.0.0/20)

4. Create an IPsec VPN connection

5. Go to VPN > IPsec Connections and select Wizard.

6. Give it a name and description

7. Click Start to follow the wizard

8. Select Site To Site as a connection type and select Head Office

9. Set the Authentication Type to preshared key (generate this value as we will also need this value on our end)

12. In the User Authentication Mode field, choose Disabled

13. Review the IPsec connection summary and click Finish

14. Click the Status (Active) to activate the connection

15. Add two firewall rules allowing VPN traffic

16. Go to Firewall and click +Add Firewall Rule

17. Create two user/network rules as shown below

First Rule:

Click Save.

Second Rule:

Click Save.

Ending note:

In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

• Pre-shared key - you can generate it or we can provide it
• Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
• Remote gateway/router public IP (must be reachable while connected to the dedicated server)
• Remote subnet and mask (the subnet is used in your local network)

Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.