All you need to know about Sophos Central SD-WAN VPN Orchestration

* This post may have affiliate links. Please see my disclosure 

Complete Guide of Sophos Central SD-WAN VPN Orchestration

If you already have Sophos devices in your infrastructure ecosystem, you should definitely consider the newly released licenses-based feature SD-WAN VPN orchestration.

I have made this humble lab with only 2 XG’s devices, although and this solution is aimed at a scenario with several XG’s branches.

VPN Orchestration

Check out the video of the full step-by-step walkthrough.

Important points to be aware of SD-WAN connection group use:

Here are some highlights of the configuration when you use SD-WAN VPN orchestration with Sophos central important to keep in mind.


  • Sophos central uses authentication type as “RSA Key” for forming IPsec VPN connection between firewalls in a group.


  • Sophos central uses a specific default IPsec policy with stricter encryption algorithms to be used for forming IPsec VPN connections between firewalls in a group.


  • Whenever a firewall IP address changes, Central should detect the IP address change and apply the changes to SD-WAN connection group.
    Tunnel - Route base VPNWith SD-WAN policy routing to form VPN connection Links (xfrm) between firewalls in a group:
  • For instance, after creating an SD-WAN connection group, from the firewall side, if one of the firewalls happens to be edited to have a new LAN network and if that new change starts causing conflicts with another firewall network in the connection group, those changes need to be handled manually.
  • Any network conflicts with the resources sharing firewall should be resolved manually.
  • As for now, a Firewall can be part of only a single SD-WAN Connection Group.

    Read More – How to add Sophos XG IPsec route to OSPF routing without GRE Tunnel

Troubleshoot of SD-WAN VPN Orchestration

Sophos Central  VPN orchestration itself will not change the fact the connection  still standard,  IPsec connection with SD-WAN policies,  which means  that you will continue to use the same troubleshooting mechanisms to analyze any event with IPsec and SD-WAN routes, such as:

  • Check for connection on the pP2p remote gateways by using commands like ” tcpdump -nei any port 500 or 4500″.
  • Review the Sophos IPsec related logs charon.log and strongswan.log debugs.
  • Check the output of “ipsec statusall”.
  • Check “conntrack” tables.
  • Analyze if the system is presenting events of drppkt.

The list goes on and on.. and always depends on the issue and the most important you need to know is that VPN orchestration will be only one automation tool, and will not interfere with the underline modules, is for that reason the steps to revise any possible issues will be the standards methods.

In conclusion, this feature is just awesome and works flawlessly to optimize the workloads of the system/infrastructure administrators.

I hope you found this tutorial helpful.

Juana Melo

I'm a self-taught security network engineer and blogger, sharing everything I'm learning along the way.

Leave a Reply

Your email address will not be published. Required fields are marked *