+----------------+ +----------------+
| | | |
| LAN - Site A | | LAN - Site B |
| 192.168.10.0/24| | 192.168.20.0/24|
| | | |
+-------+--------+ +--------+-------+
| |
| |
| |
+------+-------+ IPsec VPN Tunnel +------------+-----+
| Sophos FW |====================| OPNsense FW |
| WAN: 203.0.113.1 | WAN: 198.51.100.1|
+--------------+ +------------------+
| |
| |
| |
Internet (public network, encrypted traffic only)
Here is a complete step-by-step tutorial to configure a Site-to-Site VPN between:
- ๐ Sophos Firewall (Sophos XGS, UTM, or similar)
- ๐ OPNsense Firewall
Weโll cover both using IPsec VPN, which is the most stable and compatible method.
Step 1๏ธโฃ โ Prepare Prerequisites
| Expert(s) | Network Security Engineer; Firewall Admin; VPN Specialist |
|---|---|
| Possible Keywords | VPN; IPsec; Sophos Firewall; OPNsense; Site-to-Site VPN; Phase 1; Phase 2; IKEv2; NAT; encryption; firewall rules; static routes; preshared key |
| Question | Guide me step-by-step to configure a full Site-to-Site VPN between Sophos and OPNsense |
| Plan | As VPN Specialist, I will provide an exhaustive guide based on field-proven IPsec best practices, covering both firewalls’ configuration. Weโll use the IKEv2 standard with AES256 encryption for strong security. Troubleshooting tips included. |
Network Example
| Site | LAN Subnet | Firewall | Public IP |
|---|---|---|---|
| Site A (Sophos) | 192.168.10.0/24 | Sophos | 203.0.113.1 |
| Site B (OPNsense) | 192.168.20.0/24 | OPNsense | 198.51.100.1 |
Adapt IPs and subnets to your case.
Step 2๏ธโฃ โ Configure Sophos Firewall (Site A)
A. Create IPsec Connection
- Go to Site-to-Site VPN โ IPsec โ Connections.
- Click Add.
General Settings
- Connection Type: Site-to-Site
- Policy: Custom or DefaultHeadOffice (IKEv2 recommended)
- Authentication Type: Preshared Key
- Preshared Key: Strong password (example
MySuperStrongKey123!)
Gateway Settings
- Local Gateway: WAN Port or IP (203.0.113.1)
- Remote Gateway: 198.51.100.1 (OPNsense Public IP)
Local/Remote Subnets
- Local Subnet: 192.168.10.0/24
- Remote Subnet: 192.168.20.0/24
Phase 1 (IKE SA) Settings
- IKE Version: IKEv2
- Encryption: AES256
- Authentication: SHA256
- DH Group: 14 or higher (2048 bits)
- Key Lifetime: 28800 seconds (default)
Phase 2 (IPsec SA) Settings
- Encryption: AES256
- Authentication: SHA256
- PFS Group: 14
- Key Lifetime: 3600 seconds
B. Save & Enable
- Save the tunnel.
- Enable the connection.
Step 3๏ธโฃ โ Configure OPNsense Firewall (Site B)
A. Go to VPN โ IPsec โ Tunnels
Phase 1 (IKE SA)
- Key Exchange Version: IKEv2
- Remote Gateway: 203.0.113.1 (Sophos Public IP)
- Authentication Method: Mutual PSK
- Preshared Key: same as Sophos (
MySuperStrongKey123!) - My Identifier: IP address (198.51.100.1)
- Peer Identifier: IP address (203.0.113.1)
Phase 1 Proposal (Algorithms)
- Encryption Algorithm: AES256
- Hash Algorithm: SHA256
- DH Group: 14
- Lifetime: 28800 seconds
Phase 2 (Child SA)
- Local Network: 192.168.20.0/24
- Remote Network: 192.168.10.0/24
Phase 2 Proposal (Algorithms)
- Encryption Algorithm: AES256
- Hash Algorithm: SHA256
- PFS Key Group: 14
- Lifetime: 3600 seconds
B. Save & Apply
- Apply changes.
- Enable IPsec service: VPN โ IPsec โ Status โ enable.
Step 4๏ธโฃ โ Firewall Rules
Sophos
- Go to Rules and Policies โ Firewall Rules.
- Allow:
- From: LAN
- To: VPN
- From: VPN
- To: LAN
OPNsense
- Go to Firewall โ Rules โ IPsec.
- Add a rule:
- Source: 192.168.10.0/24
- Destination: 192.168.20.0/24
- Action: Pass
- Also, ensure:
- Firewall โ Rules โ LAN allows traffic to 192.168.10.0/24.
Step 5๏ธโฃ โ Testing & Verification
On Both Sides
- Ping from 192.168.10.x to 192.168.20.x and vice versa.
- Check:
- Sophos: Site-to-Site VPN โ IPsec โ Connection Status.
- OPNsense: VPN โ IPsec โ Status Overview.
Logs
- Sophos: Log Viewer โ IPsec
- OPNsense: System โ Log Files โ IPsec
Step 6๏ธโฃ โ Troubleshooting Tips
| Issue | Possible Cause | Fix |
|---|---|---|
| Tunnel not coming up | Wrong PSK, identifiers | Double-check PSK and IDs |
| No traffic between LANs | Firewall rules missing | Add firewall rules on both sides |
| Phase 1 success, Phase 2 fails | Mismatched encryption settings | Align Phase 2 proposals |
| Tunnel keeps dropping | NAT traversal issues | Enable NAT-T on both sides |
Conclusion
You now have a fully configured IPsec VPN Site-to-Site between Sophos and OPNsense. This setup ensures:
- Secure traffic between both LANs.
- Scalability for additional networks.
- Interoperability between firewalls.
See also
- ๐ก๏ธ IPsec VPN Best Practices
- ๐ Sophos IPsec VPN Configuration Guide
- ๐ OPNsense IPsec VPN Setup
You may also enjoy
- ๐ BGP over IPsec โ for dynamic routing across VPN
- โ๏ธ OPNsense Advanced Firewall Rules
- ๐ Sophos XDR with VPN
