Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 580 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec site-to-site connection, two initiators

Thorben Paulik

Hello Community,

the setup guides and the IPsec settings for our XGS3100 Firewall confuse me.

I want to setup a IPsec Site-to-Site tunnel to connect to our Site in another city. Both sites have new XGS3100 Firewalls running SFOS 19.5.1.

The configuration for IPsec Site-to-Site asks for a Gateway type, either Respond only or Initiate the Connection. Since we want both sites to be able to initiate the buildup if the p1 and p2 tunnels, as both sites host services that users of the other one occasionally need to access.

In what i have learned and experienced so far IPsec connections are initiated when packets on one side need it to be open, which can happen on either side, and have never before had to select an initiator and a responder. The resources i found so far haven't helped much either, stating that the central location should be the responder and that its not recommended to set both sites to intitiate the connection, but i can't figure out why, or what side effects that would have.

Does anyone have experience with setting up a site-to-site connection like this an ran into a similar issue, or have been taught wrong?

Cheers

Thorben



This thread was automatically locked due to age.
  • +1

    Hello Thorben,

    Good day and thanks for reaching out to Sophos Community, hope you are well.

    There are certain use cases such as where the HQ Firewall is set to Respond only and branches needs to be the initiator, use cases are some FW on branches has no static public IP they are using dynamic assigned by ISP and they are Nat'ed behind the ISP router so being a responder on branch FW would not be feasible to achieve/establish a tunnel with HQ

    Each use case can differ from each other, You may also use this RR as additional reference:  Best practice for site-to-site policy-based IPsec VPN 

    Hope this helps. Many thanks for your time and patience and thank you for choosing Sophos

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Raphael Alganes

    In our case both sites have static public IPs, so having both FWs set to initiate the connection would be the correct configuration for us and would not cause problems, correct?

    Thank you for your time

    Regards

    Thorben

  • +1

    Essentially there is no problem in having both sites as initiators. 

    In bigger setups (like a star topology) you are likely want to configure the HQ as Respond only.
    The reason is: If you have Multiple firewalls connecting to your HQ, you do not want to have the HQ to reach out to one site, which could be offline for whatever reason. So the HQ is always reachable, but a BO could be offline for multiple times. So it will not "flood the logs with "unreachable". Sometimes the BO is not reachable anyway, due the NAT scenario. 

    __________________________________________________________________________________________________________________

Unfiltered HTML