{"id":29071,"date":"2026-03-05T15:07:55","date_gmt":"2026-03-05T08:07:55","guid":{"rendered":"https:\/\/vacif.com\/?p=29071"},"modified":"2026-03-09T14:38:43","modified_gmt":"2026-03-09T07:38:43","slug":"moi-nhat-2026-sophos-firewall-huong-dan-cau-hinh-vpn-site-to-site-giua-2-thiet-bi-sophos-firewall-firmware-v22","status":"publish","type":"post","link":"https:\/\/vacif.com\/en\/moi-nhat-2026-sophos-firewall-huong-dan-cau-hinh-vpn-site-to-site-giua-2-thiet-bi-sophos-firewall-firmware-v22\/","title":{"rendered":"[Latest 2026] Sophos Firewall: Guide to Configuring VPN Site-to-Site Between Two Sophos Firewall Devices Firmware V22"},"content":{"rendered":"<div class=\"root-eb-toc-71c36 wp-block-essential-blocks-table-of-contents\"><div class=\"eb-parent-wrapper eb-parent-eb-toc-71c36 \"><div class=\"eb-toc-container eb-toc-71c36  eb-toc-is-not-sticky eb-toc-not-collapsible eb-toc-initially-not-collapsed eb-toc-scrollToTop style-1 list-style-none\" data-scroll-top=\"false\" data-scroll-top-icon=\"fas fa-angle-up\" data-collapsible=\"false\" data-sticky-hide-mobile=\"false\" data-sticky=\"false\" data-scroll-target=\"scroll_to_toc\" data-copy-link=\"false\" data-editor-type=\"\" data-hide-desktop=\"false\" data-hide-tab=\"false\" data-hide-mobile=\"false\" data-itemCollapsed=\"false\" data-highlight-scroll=\"false\"><div class=\"eb-toc-header\"><h2 class=\"eb-toc-title\">Table of Contents<\/h2><\/div><div class=\"eb-toc-wrapper \" data-headers=\"[{&quot;level&quot;:2,&quot;content&quot;:&quot;I \\u2013 Overview of the article&quot;,&quot;text&quot;:&quot;I \\u2013 Overview of the article&quot;,&quot;link&quot;:&quot;i-overview-of-the-article&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;II \\u2013 Network diagram&quot;,&quot;text&quot;:&quot;II \\u2013 Network diagram&quot;,&quot;link&quot;:&quot;ii-network-diagram&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;III \\u2013 Configuration scenario&quot;,&quot;text&quot;:&quot;III \\u2013 Configuration scenario&quot;,&quot;link&quot;:&quot;iii-configuration-scenario&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;IV \\u2013 Configuration steps&quot;,&quot;text&quot;:&quot;IV \\u2013 Configuration steps&quot;,&quot;link&quot;:&quot;iv-configuration-steps&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;V \\u2013 Detailed guide to configuring VPN site-to-site between two Sophos Firewall devices Firmware V22&quot;,&quot;text&quot;:&quot;V \\u2013 Detailed guide to configuring VPN site-to-site between two Sophos Firewall devices Firmware V22&quot;,&quot;link&quot;:&quot;v-detailed-guide-to-configuring-vpn-site-to-site-between-two-sophos-firewall-devices-firmware-v22&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;1. Configuration on Sophos Firewall 1&quot;,&quot;text&quot;:&quot;1. Configuration on Sophos Firewall 1&quot;,&quot;link&quot;:&quot;1-configuration-on-sophos-firewall-1&quot;},{&quot;level&quot;:2,&quot;content&quot;:&quot;2. Configuration on Sophos Firewall 2&quot;,&quot;text&quot;:&quot;2. Configuration on Sophos Firewall 2&quot;,&quot;link&quot;:&quot;2-configuration-on-sophos-firewall-2&quot;}]\" data-visible=\"[true,true,true,true,true,true]\" data-delete-headers=\"[{&quot;label&quot;:&quot;I \\u2013 Overview of the article&quot;,&quot;value&quot;:&quot;i-overview-of-the-article&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;II \\u2013 Network diagram&quot;,&quot;value&quot;:&quot;ii-network-diagram&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;III \\u2013 Configuration scenario&quot;,&quot;value&quot;:&quot;iii-configuration-scenario&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;IV \\u2013 Configuration steps&quot;,&quot;value&quot;:&quot;iv-configuration-steps&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;V \\u2013 Detailed guide to configuring VPN site-to-site between two Sophos Firewall devices Firmware V22&quot;,&quot;value&quot;:&quot;v-detailed-guide-to-configuring-vpn-site-to-site-between-two-sophos-firewall-devices-firmware-v22&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;1. Configuration on Sophos Firewall 1&quot;,&quot;value&quot;:&quot;1-configuration-on-sophos-firewall-1&quot;,&quot;isDelete&quot;:false},{&quot;label&quot;:&quot;2. Configuration on Sophos Firewall 2&quot;,&quot;value&quot;:&quot;2-configuration-on-sophos-firewall-2&quot;,&quot;isDelete&quot;:false}]\" data-smooth=\"true\" data-top-offset=\"\"><div class=\"eb-toc__list-wrap\"><ul class='eb-toc__list'><li><a href=\"#i-overview-of-the-article\">I \u2013 Overview of the article<\/a><li><a href=\"#ii-network-diagram\">II \u2013 Network diagram<\/a><li><a href=\"#iii-configuration-scenario\">III \u2013 Configuration scenario<\/a><li><a href=\"#iv-configuration-steps\">IV \u2013 Configuration steps<\/a><li><a href=\"#v-detailed-guide-to-configuring-vpn-site-to-site-between-two-sophos-firewall-devices-firmware-v22\">V \u2013 Detailed guide to configuring VPN site-to-site between two Sophos Firewall devices Firmware V22<\/a><li><a href=\"#1-configuration-on-sophos-firewall-1\">1. Configuration on Sophos Firewall 1<\/a><li><a href=\"#2-configuration-on-sophos-firewall-2\">2. Configuration on Sophos Firewall 2<\/a><\/ul><\/div><\/div><\/div><\/div><\/div>\n\n\n<div class=\"wp-block-essential-blocks-advanced-heading  root-eb-advance-heading-oiy73\"><div class=\"eb-parent-wrapper eb-parent-eb-advance-heading-oiy73 \"><div class=\"eb-advance-heading-wrapper eb-advance-heading-oiy73 button-1 undefined\" data-id=\"eb-advance-heading-oiy73\"><h2 class=\"eb-ah-title\"><span class=\"first-title\">I \u2013 Overview of the article<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n<p>This article guides the configuration of <strong>IPsec Site-to-Site VPN between two Sophos Firewall XGS devices using firmware v22<\/strong>, in order to establish a secure connection between two network systems located at two different sites.<\/p>\n\n\n\n<p><strong>Objectives of the lab:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Successfully establish an <strong>IPsec tunnel between the two firewalls<\/strong>.<\/li>\n\n\n\n<li>Allow the <strong>two LAN networks at the two sites to access and exchange data with each other<\/strong>.<\/li>\n\n\n\n<li>Ensure that <strong>all traffic transmitted through the Internet is securely encrypted<\/strong>.<\/li>\n\n\n\n<li><strong>Check and verify the operating status of the VPN Tunnel<\/strong>.<\/li>\n\n\n\n<li>Clearly understand the <strong>operation mechanism of Phase 1 (IKE SA) and Phase 2 (IPsec SA)<\/strong> in the VPN establishment process.<\/li>\n<\/ul>\n\n\n\n<p><strong>Deployment environment:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>02 Sophos Firewall XGS (Virtual Appliance).<\/strong><\/li>\n\n\n\n<li>Installed on the <strong>Proxmox VE virtualization platform<\/strong>.<\/li>\n\n\n\n<li>Both ends use <strong>static WAN IP addresses<\/strong>, provided by a real firewall\/router to simulate a real environment.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-essential-blocks-advanced-heading  root-eb-advance-heading-5y1xh\"><div class=\"eb-parent-wrapper eb-parent-eb-advance-heading-5y1xh \"><div class=\"eb-advance-heading-wrapper eb-advance-heading-5y1xh button-1 undefined\" data-id=\"eb-advance-heading-5y1xh\"><h2 class=\"eb-ah-title\"><span class=\"first-title\">II \u2013 Network diagram<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"903\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-13.png\" alt=\"\" class=\"wp-image-29072\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-13.png 975w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-13-300x278.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-13-768x711.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-essential-blocks-advanced-heading  root-eb-advance-heading-8qbrk\"><div class=\"eb-parent-wrapper eb-parent-eb-advance-heading-8qbrk \"><div class=\"eb-advance-heading-wrapper eb-advance-heading-8qbrk button-1 undefined\" data-id=\"eb-advance-heading-8qbrk\"><h2 class=\"eb-ah-title\"><span class=\"first-title\">III \u2013 Configuration scenario<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n<p>The enterprise has <strong>two sites using two Sophos Firewall XGS devices<\/strong> connecting to the Internet through a <strong>Viettel router<\/strong> with WAN IP addresses <strong>123.123.123.11 and 123.123.123.15<\/strong> respectively.<\/p>\n\n\n\n<p>Each site has its own LAN network which is <strong>100.100.100.0\/24 and 200.200.200.0\/24<\/strong>.<\/p>\n\n\n\n<p>Currently these two networks <strong>cannot access each other through the Internet<\/strong>.<\/p>\n\n\n\n<p>The requirement is to <strong>allow the two LAN networks to communicate securely and stably<\/strong>.<\/p>\n\n\n\n<p>The solution is to <strong>deploy an IPsec Site-to-Site VPN to encrypt and connect the two systems through the Internet<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-essential-blocks-advanced-heading  root-eb-advance-heading-p2o1y\"><div class=\"eb-parent-wrapper eb-parent-eb-advance-heading-p2o1y \"><div class=\"eb-advance-heading-wrapper eb-advance-heading-p2o1y button-1 undefined\" data-id=\"eb-advance-heading-p2o1y\"><h2 class=\"eb-ah-title\"><span class=\"first-title\">IV \u2013 Configuration steps<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prepare configuration information<\/li>\n\n\n\n<li>Create <strong>Network Object (Host\/Subnet)<\/strong><\/li>\n\n\n\n<li>Configure <strong>IPsec Site-to-Site VPN<\/strong><\/li>\n\n\n\n<li>Create <strong>Firewall Rule to allow LAN \u2194 VPN traffic<\/strong><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-essential-blocks-advanced-heading  root-eb-advance-heading-8kdbt\"><div class=\"eb-parent-wrapper eb-parent-eb-advance-heading-8kdbt \"><div class=\"eb-advance-heading-wrapper eb-advance-heading-8kdbt button-1 undefined\" data-id=\"eb-advance-heading-8kdbt\"><h2 class=\"eb-ah-title\"><span class=\"first-title\">V \u2013 Detailed guide to configuring VPN site-to-site between two Sophos Firewall devices Firmware V22<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-essential-blocks-advanced-heading  root-eb-advance-heading-hbhxd\"><div class=\"eb-parent-wrapper eb-parent-eb-advance-heading-hbhxd \"><div class=\"eb-advance-heading-wrapper eb-advance-heading-hbhxd button-1 undefined\" data-id=\"eb-advance-heading-hbhxd\"><h2 class=\"eb-ah-title\"><span class=\"first-title\">1. Configuration on Sophos Firewall 1<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n<div class=\"wp-block-essential-blocks-text  root-eb-text-unl1v\"><div class=\"eb-parent-wrapper eb-parent-eb-text-unl1v \"><div class=\"eb-text-wrapper eb-text-unl1v\" data-id=\"eb-text-unl1v\"><p class=\"eb-text\">Step 1: Check the interface configuration. On <strong>Sophos Firewall 1<\/strong>, the <strong>WAN port IP is 123.123.123.11<\/strong>, and <strong>LAN is 100.100.100.1\/24<\/strong>.<\/p><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"780\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-15.png\" alt=\"\" class=\"wp-image-29074\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-15.png 936w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-15-300x250.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-15-768x640.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<p>Step 2: Add Local and Remote LAN Network<\/p>\n\n\n\n<p>Go to <strong>Hosts and services \u2192 IP Host \u2192 Add<\/strong> to add the <strong>local and remote LAN network<\/strong> as shown in the image below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"727\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-14.png\" alt=\"\" class=\"wp-image-29073\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-14.png 936w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-14-300x233.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-14-768x597.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/2026\/03\/image-19.png\" alt=\"\" class=\"wp-image-29079\"\/><\/figure>\n\n\n\n<div class=\"wp-block-essential-blocks-text  root-eb-text-4keta\"><div class=\"eb-parent-wrapper eb-parent-eb-text-4keta \"><div class=\"eb-text-wrapper eb-text-4keta\" data-id=\"eb-text-4keta\"><p class=\"eb-text\">Step 3: Go to <strong>Administrator \u2192 Device Access \u2192 WAN: check IPsec<\/strong><\/p><\/div><\/div><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"732\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-20.png\" alt=\"\" class=\"wp-image-29078\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-20.png 936w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-20-300x235.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-20-768x601.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-essential-blocks-text  root-eb-text-uouu5\"><div class=\"eb-parent-wrapper eb-parent-eb-text-uouu5 \"><div class=\"eb-text-wrapper eb-text-uouu5\" data-id=\"eb-text-uouu5\"><p class=\"eb-text\">Step 4: Create IPsec Connection<\/p><\/div><\/div><\/div>\n\n\n\n<p>Go to <strong>Site to site \u2192 IPsec \u2192 Add<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IP Version:<\/strong> IPv4 \u2192 The tunnel uses IPv4 addresses to establish IKE and transmit ESP data.<\/li>\n\n\n\n<li><strong>Connection Type:<\/strong> Policy-based \u2192 Only the subnets declared in <strong>Local subnet<\/strong> and <strong>Remote subnet<\/strong> are allowed to pass through the tunnel.<\/li>\n\n\n\n<li><strong>Gateway Type:<\/strong> Respond only \u2192 This firewall does not initiate the connection, it only responds when the other side initiates it.<\/li>\n\n\n\n<li><strong>Profile:<\/strong> IKEv2 \u2192 A newer VPN standard, more stable and secure than IKEv1.<\/li>\n\n\n\n<li><strong>Authentication:<\/strong> Preshared Key (PSK) \u2192 Both firewalls use the same shared secret password.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/2026\/03\/image-16.png\" alt=\"\" class=\"wp-image-29076\"\/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Listening interface:<\/strong> 123.123.123.11 \u2192 This is the WAN IP of this firewall, the firewall will wait for VPN connections at this IP.<\/li>\n\n\n\n<li><strong>Gateway address:<\/strong> 123.123.123.15 \u2192 This is the WAN IP of the other firewall, the VPN will connect to this IP.<\/li>\n\n\n\n<li><strong>Local Subnet:<\/strong> LOCAL_VLAN_100 \u2192 The internal network on this side that is allowed to pass through the VPN.<\/li>\n\n\n\n<li><strong>Remote Subnet:<\/strong> VPN_VLAN_200 \u2192 The internal network on the other side.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"729\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-18.png\" alt=\"\" class=\"wp-image-29077\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-18.png 936w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-18-300x234.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-18-768x598.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/2026\/03\/image-17.png\" alt=\"\" class=\"wp-image-29075\"\/><\/figure>\n\n\n\n<div class=\"wp-block-essential-blocks-text  root-eb-text-iljad\"><div class=\"eb-parent-wrapper eb-parent-eb-text-iljad \"><div class=\"eb-text-wrapper eb-text-iljad\" data-id=\"eb-text-iljad\"><p class=\"eb-text\">Step 5: Create Firewall Rule<\/p><\/div><\/div><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Rule name:<\/strong> VPN_SF_TO_SF1<\/li>\n\n\n\n<li><strong>Action:<\/strong> Accept \u2192 Allow traffic to pass<\/li>\n\n\n\n<li><strong>Log firewall traffic:<\/strong> Check \u2192 Log traffic for verification when necessary<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"741\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-21.png\" alt=\"\" class=\"wp-image-29080\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-21.png 936w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-21-300x238.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-21-768x608.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Source zones:<\/strong> LAN, VPN \u2192 Meaning traffic can originate from the internal network or from the VPN side.<\/li>\n\n\n\n<li><strong>Source networks:<\/strong> LOCAL_VLAN_100, VPN_VLAN_200 \u2192 Only these networks are allowed to use this rule.<\/li>\n\n\n\n<li><strong>Destination zones:<\/strong> LAN, VPN \u2192 Allow two-way access between LAN and VPN.<\/li>\n\n\n\n<li><strong>Destination networks:<\/strong> LOCAL_VLAN_100, VPN_VLAN_200<\/li>\n\n\n\n<li><strong>Services:<\/strong> Any \u2192 Allow all services (ping, RDP, SMB, HTTP\u2026)<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"975\" height=\"692\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-31.png\" alt=\"\" class=\"wp-image-29093\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-31.png 975w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-31-300x213.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-31-768x545.png 768w\" sizes=\"auto, (max-width: 975px) 100vw, 975px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-essential-blocks-text  root-eb-text-8iylg\"><div class=\"eb-parent-wrapper eb-parent-eb-text-8iylg \"><div class=\"eb-text-wrapper eb-text-8iylg\" data-id=\"eb-text-8iylg\"><p class=\"eb-text\">Step 6: Check VPN status<\/p><\/div><\/div><\/div>\n\n\n\n<p>Go to <strong>Site to site VPN \u2192 IPsec \u2192 Check Active and Connection to enable the configuration<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"736\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-22.png\" alt=\"\" class=\"wp-image-29081\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-22.png 936w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-22-300x236.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-22-768x604.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-essential-blocks-advanced-heading  root-eb-advance-heading-8jx05\"><div class=\"eb-parent-wrapper eb-parent-eb-advance-heading-8jx05 \"><div class=\"eb-advance-heading-wrapper eb-advance-heading-8jx05 button-1 undefined\" data-id=\"eb-advance-heading-8jx05\"><h2 class=\"eb-ah-title\"><span class=\"first-title\">2. Configuration on Sophos Firewall 2<\/span><\/h2><\/div><\/div><\/div>\n\n\n\n<p>Go to <strong>Hosts and services \u2192 IP Host \u2192 Add<\/strong> to add the <strong>local and remote LAN network<\/strong> as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/2026\/03\/image-24.png\" alt=\"\" class=\"wp-image-29083\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"726\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-23.png\" alt=\"\" class=\"wp-image-29082\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-23.png 936w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-23-300x233.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-23-768x596.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-essential-blocks-text  root-eb-text-hch3o\"><div class=\"eb-parent-wrapper eb-parent-eb-text-hch3o \"><div class=\"eb-text-wrapper eb-text-hch3o\" data-id=\"eb-text-hch3o\"><p class=\"eb-text\">Step 1: Create an IPsec VPN connection to Firewall 1<\/p><\/div><\/div><\/div>\n\n\n\n<p>Go to <strong>Site-to-Site VPN \u2192 IPsec<\/strong> and select <strong>Add<\/strong>.<\/p>\n\n\n\n<p>Create the connection with the parameters below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/2026\/03\/image-25.png\" alt=\"\" class=\"wp-image-29086\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"734\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-27.png\" alt=\"\" class=\"wp-image-29084\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-27.png 936w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-27-300x235.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-27-768x602.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<div class=\"wp-block-essential-blocks-text  root-eb-text-patfl\"><div class=\"eb-parent-wrapper eb-parent-eb-text-patfl \"><div class=\"eb-text-wrapper eb-text-patfl\" data-id=\"eb-text-patfl\"><p class=\"eb-text\">Step 2: Create Firewall Rules for Firewall 2<\/p><\/div><\/div><\/div>\n\n\n\n<p>Go to <strong>Rules and Policies \u2192 Firewall rules \u2192 Add<\/strong> as shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/2026\/03\/image-29.png\" alt=\"\" class=\"wp-image-29088\"\/><\/figure>\n\n\n\n<div class=\"wp-block-essential-blocks-text  root-eb-text-tglf7\"><div class=\"eb-parent-wrapper eb-parent-eb-text-tglf7 \"><div class=\"eb-text-wrapper eb-text-tglf7\" data-id=\"eb-text-tglf7\"><p class=\"eb-text\">Step 3: Check VPN status<\/p><\/div><\/div><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <strong>Site to site \u2192 IPsec \u2192 Check Active and Connection to start the connection<\/strong>.<\/li>\n\n\n\n<li>From a computer in <strong>LAN 100.100.100.0\/24<\/strong>, ping a computer in <strong>LAN 200.200.200.0\/24 \u2192 ping successful<\/strong>.<\/li>\n\n\n\n<li>Conversely, from a computer in <strong>LAN 200.200.200.0\/24<\/strong>, ping a computer in <strong>LAN 100.100.100.0\/24 \u2192 ping successful<\/strong>.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"733\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-28.png\" alt=\"\" class=\"wp-image-29087\" srcset=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-28.png 936w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-28-300x235.png 300w, https:\/\/vacif.com\/en\/wp-content\/uploads\/sites\/3\/2026\/03\/image-28-768x601.png 768w\" sizes=\"auto, (max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/2026\/03\/image-30.png\" alt=\"\" class=\"wp-image-29089\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/vacif.com\/en\/wp-content\/uploads\/2026\/03\/image-26.png\" alt=\"\" class=\"wp-image-29085\"\/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article guides the configuration of IPsec Site-to-Site VPN between two Sophos Firewall XGS devices using firmware v22, in order to establish a secure connection between two network systems located at two different sites. Objectives of the lab: Deployment environment: The enterprise has two sites using two Sophos Firewall XGS devices connecting to the Internet [&hellip;]<\/p>\n","protected":false},"author":47,"featured_media":29090,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[623,629,618,80,17,596,627],"tags":[651,334,649],"class_list":["post-29071","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","category-export","category-huong-dan","category-huong-dan-tai-lieu","category-bao-mat","category-sophos","category-tai-lieu-va-huong-dan","tag-cau-hinh-vpn-site-to-site","tag-sophos-firewall","tag-sophos-firewall-firmware-v22","entry","has-media"],"_links":{"self":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/29071","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/users\/47"}],"replies":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/comments?post=29071"}],"version-history":[{"count":5,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/29071\/revisions"}],"predecessor-version":[{"id":29141,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/29071\/revisions\/29141"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media\/29090"}],"wp:attachment":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media?parent=29071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/categories?post=29071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/tags?post=29071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}