IPsec site-to-site connection, two initiators

Question

Hello Community, 
 the setup guides and the IPsec settings for our XGS3100 Firewall confuse me. 
 I want to setup a IPsec Site-to-Site tunnel to connect to our Site in another city. Both sites have new XGS3100 Firewalls running SFOS 19.5.1. 
 The configuration for IPsec Site-to-Site asks for a Gateway type, either Respond only or Initiate the Connection. Since we want both sites to be able to initiate the buildup if the p1 and p2 tunnels, as both sites host services that users of the other one occasionally need to access. 
 In what i have learned and experienced so far IPsec connections are initiated when packets on one side need it to be open, which can happen on either side, and have never before had to select an initiator and a responder. The resources i found so far haven't helped much either, stating that the central location should be the responder and that its not recommended to set both sites to intitiate the connection, but i can't figure out why, or what side effects that would have. 
 Does anyone have experience with setting up a site-to-site connection like this an ran into a similar issue, or have been taught wrong? 
 
 Cheers 
 Thorben

Raphael Alganes · Accepted Answer

Hello Thorben, 
 Good day and thanks for reaching out to Sophos Community, hope you are well. 
 There are certain use cases such as where the HQ Firewall is set to Respond only and branches needs to be the initiator, use cases are some FW on branches has no static public IP they are using dynamic assigned by ISP and they are Nat'ed behind the ISP router so being a responder on branch FW would not be feasible to achieve/establish a tunnel with HQ 
 Each use case can differ from each other, You may also use this RR as additional reference: Best practice for site-to-site policy-based IPsec VPN 
 Hope this helps. Many thanks for your time and patience and thank you for choosing Sophos 
 Cheers,

LuCar Toni · Answer

Essentially there is no problem in having both sites as initiators. 
 In bigger setups (like a star topology) you are likely want to configure the HQ as Respond only. The reason is: If you have Multiple firewalls connecting to your HQ, you do not want to have the HQ to reach out to one site, which could be offline for whatever reason. So the HQ is always reachable, but a BO could be offline for multiple times. So it will not "flood the logs with "unreachable". Sometimes the BO is not reachable anyway, due the NAT scenario.

IPsec site-to-site connection, two initiators

Top Replies