Operation: Add Failover Group IPSEC Connection / Edit IPSEC Connection
Description: To Create/Edit IPSEC Connection for secure VPN communication at the IP Layer.To edit IPSec connections. 

Sample Configuration
<VPNIPSecConnection> <Configuration> <Name>name</Name> <Description>Text</Description> <ConnectionType>RemoteAccess/SiteToSite/HostToHost</ConnectionType> <Policy>DefaultRemoteAccess</Policy> <ActionOnVPNRestart>Disable/RespondOnly/Initiate</ActionOnVPNRestart> <AuthenticationType>PresharedKey/DigitalCertificate/RSAKey</AuthenticationType> <!-- For preshared Key --> <PresharedKey>key</PresharedKey> <!-- For Certificate --> <LocalCertificate>ApplianceCertificate</LocalCertificate> <RemoteCertificate>ExternalCertificate</RemoteCertificate> <!-- For Network Detail IP Family --> <SubnetFamily>IPv4/IPv6</SubnetFamily> <!-- For Endpoint Detail IP Family --> <EndpointFamily>IPv4/IPv6</EndpointFamily> <!-- For RSA Key --> <RemoteRSAKey>Text</RemoteRSAKey> <LocalWANPort>PortB</LocalWANPort> <!-- For alias wan port --> <AliasLocalWANPort>PortB:0</AliasLocalWANPort> <RemoteHost>Host</RemoteHost> <LocalSubnet>Host</LocalSubnet> <!-- only for site-to-site --> <NATedLAN>Host</NATedLAN> <LocalIDType>DNS/IP Address/Email/DER ASN1 DN (X.509)</LocalIDType> <LocalID>localid</LocalID> <!-- only for RemoteAccess & Host-to-Host --> <AllowNATTraversal>Enable/Disable</AllowNATTraversal> <RemoteNetwork> <Network>Network</Network> </RemoteNetwork> <RemoteIDType>DNS/IP Address/Email/DER ASN1 DN (X.509)</RemoteIDType> <RemoteID>remoteid</RemoteID> <UserAuthenticationMode>Disable/AsServer/AsClient</UserAuthenticationMode> <!-- for AsClient --> <Username>username</Username> <Password>password</Password> <!-- for AsServer --> <AllowedUser> <User>username</User> : </AllowedUser> <Protocol>ALL/UDP/TCP/ICMP</Protocol> <LocalPort>Number</LocalPort> <RemotePort>Number</RemotePort> <DisconnectOnIdleInterval>600</DisconnectOnIdleInterval> <Status>Active/Deactive</Status> </Configuration> <!-- these four tags will work only after the connection is created--> <Active><Name>connectionname</Name></Active> <DeActive><Name>connectionname</Name></DeActive> <Connection><Name>connectionname</Name></Connection> <DisConnection><Name>connectionname</Name></DisConnection> </VPNIPSecConnection>



Parameter Mandatory Default Description
NameYes  
Specify a name to identify IPSec connection.
Name confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Allowed first characters: (A-Za-z). For other characters: (A-Za-z0-9_)
  • Maximum characters allowed are 100.
  • Multiple values are allowed.
DescriptionNo  
Specify description for the IPSEC connection.
Description confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 255.
ConnectionTypeYes  
Select Connection type for VPN IPSEC connection from the available options: Remote Access, Site to Site or Host to Host.
ConnectionType confines to:
  • Type is 'SCALAR'.
  • Only 'RemoteAccess', 'SiteToSite', 'HostToHost', 'TunnelInterface' are allowed.
PolicyYes  
Select Policy to be used for connection from the available options: Default Policy, DefaultHeadOffice, DefaultRemoteAccess, AES128_MD5, DefaultBranchOffice or DefaultL2TP.
Policy confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
ActionOnVPNRestartNo  
Select action to be taken when VPN Services restarts from the available options: Disable or Respond Only.
ActionOnVPNRestart confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'RespondOnly', 'Initiate' are allowed.
AuthenticationTypeNo  
Select Authentication type based on the Connection type.
AuthenticationType confines to:
  • Type is 'SCALAR'.
  • Only 'PresharedKey', 'DigitalCertificate', 'RSAKey' are allowed.
PresharedKey/LocalCertificateYes  
Specify Preshared key or Select Local Certificate to be used by Appliance for authentication based on the Authentication type selected.
PresharedKey/LocalCertificate confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 64.
  • Minimum characters allowed are 5.
RemoteCertificate/RemoteRSAKeyNo  
Select Remote Certificate or Specify RSA Key to be used by remote peer for authentication based on the Authentication type selected.
RemoteCertificate/RemoteRSAKey confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
Note:
This options are available if Connection type selected is Site-to-Site or Host-to-Host..
AliasLocalWANPortYes  
Select local WAN port from the list.
AliasLocalWANPort confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
  • Duplicate values will not be ignored.
RemoteHostYes  
Specify IP Address/Domain name of the remote peer.
RemoteHost confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
  • Duplicate values will not be ignored.
  • If Authentication type is 'RSAKey' then character (*) is not allowed.
Failover Group NameYes  
Specify a name for Failover Group.
Failover Group Name confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Allowed first characters: (A-Za-z). For other characters: (A-Za-z0-9_)
Failover Mail NotificationNo  
Enable to trigger Email notifications to Administrator at failover events.
Failover Mail Notification confines to:
  • Type is 'SCALAR'.
  • Only 'y', 'n' are allowed.
ProtocolNo  
Select Protocol.
Protocol confines to:
  • Type is 'ARRAY'.
  • Only 'ping', 'tcp', '' are allowed.
  • Multiple values are allowed.
  • Duplicate values will not be ignored.
PortNo  
Select Port.
Port confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Multiple values are allowed.
  • Allowed numbers: 1 to 65535.
LocalSubnetYes  
Select Local LAN subnet.
LocalSubnet confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Not allowed for first character: (# ,). Not allowed: Comma (,)
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
  • Duplicate values will be ignored.
NATedLANNo  
If NAT Local LAN is selected for Site-to-Site Connection type, select IP Host or Network Host from the list.
NATedLAN confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Not allowed for first character: (# ,). Not allowed: Comma (,)
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
  • Duplicate values will not be ignored.
LocalIDTypeYes  
Select ID type for Preshared Key and RSA Key.
LocalIDType confines to:
  • Type is 'SCALAR'.
  • Only 'DNS', 'IP Address', 'Email', 'DER ASN1 DN (X.509)' are allowed.
LocalIDYes  
Specify the value as per selected Local ID type.
LocalID confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
AllowNATTraversalNo  
Enable NAT Traversal if a NAT device is located between VPN end points.
AllowNATTraversal confines to:
  • Type is 'SCALAR'.
  • Only 'Enable', 'Disable' are allowed.
RemoteIDTypeYes  
Select Remote ID type.
RemoteIDType confines to:
  • Type is 'SCALAR'.
  • Only 'DNS', 'IP Address', 'Email', 'DER ASN1 DN (X.509)' are allowed.
RemoteIDYes  
Specify the value as per selected Remote ID type.
RemoteID confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
UserAuthenticationModeNo  
Select mode for User Authentication if required at time of connection.
UserAuthenticationMode confines to:
  • Type is 'SCALAR'.
  • Only 'Disable', 'EnableAsClient', 'EnableAsServer' are allowed.
UsernameYes  
Specify Username if User Authentication mode is enabled as Client.
Username confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 50.
PasswordNo  
Specify Password if User Authentication mode is enabled as Client.
Password confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
UserNo  
Add all the users which are allowed to connect if authentication mode is enabled as Server.
User confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Maximum characters allowed are 50.
  • Multiple values are allowed.
  • Duplicate values will be ignored.
ProtocolNo  
Select Protocol to be allowed for negotiations.
Protocol confines to:
  • Type is 'SCALAR'.
  • Only 'ALL', 'ICMP', 'UDP', 'TCP' are allowed.
LocalPortYes  
Specify local port number that local VPN peer will use to transport traffic.
LocalPort confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Allowed port range: (1 to 65535). To specify any port, use an asterisk (*).
  • Maximum characters allowed are 5.
RemotePortYes  
Specify remote port number that remote VPN peer will use to transport traffic.
RemotePort confines to:
  • Type is 'SCALAR'.
  • Datatype is 'STRING'.
  • Allowed port range: (1 to 65535). To specify any port, use an asterisk (*).
  • Maximum characters allowed are 5.
DisconnectOnIdleIntervalNo 
Disconnect on idle interval.
DisconnectOnIdleInterval confines to:
  • Type is 'SCALAR'.
  • Datatype is 'INTEGER'.
  • Range 120 to 999 is allowed.
  • Maximum digits allowed are 3.
ActivateOnSaveNo  
Choose if the connection should be activated right after save.
ActivateOnSave confines to:
  • Type is 'SCALAR'.
  • Only 'y', 'n' are allowed.
Local IP AddressNo  
Local IP Address for Interface Binding.
Local IP Address confines to:
  • Type is 'SCALAR'.
  • Datatype is 'IPADDRESS'.
  • Maximum characters allowed are 15.
Bind with InterfaceNo  
Enable or Disable Selection for Interface Binding.
Bind with Interface confines to:
  • Type is 'SCALAR'.
  • Only '0', '1' are allowed.
Remote IP AddressNo  
Remote IP Address for Interface Binding.
Remote IP Address confines to:
  • Type is 'SCALAR'.
  • Datatype is 'IPADDRESS'.
  • Maximum characters allowed are 15.
SubnetFamilyNo  
IP Family Selection for Network Detail.
SubnetFamily confines to:
  • Type is 'SCALAR'.
  • Only 'IPv4', 'IPv6' are allowed.
NetworkYes  
Specify the remote LAN network.
Network confines to:
  • Type is 'ARRAY'.
  • Datatype is 'STRING'.
  • Not allowed for first character: (# ,). Not allowed: Comma (,)
  • Maximum characters allowed are 60.
  • Multiple values are allowed.
  • Duplicate values will not be ignored.



Operation   Status   Message
Add Failover Group IPSEC Connection200
Add Failover Group IPSEC Connection500
Add Failover Group IPSEC Connection502
Add Failover Group IPSEC Connection503
Add Failover Group IPSEC Connection504
Add Failover Group IPSEC Connection541
Add Failover Group IPSEC Connection542
Add Failover Group IPSEC Connection543
Add Failover Group IPSEC Connection544
Add Failover Group IPSEC Connection545
Add Failover Group IPSEC Connection546
Edit IPSEC Connection200
Edit IPSEC Connection201
Edit IPSEC Connection500
Edit IPSEC Connection502
Edit IPSEC Connection503
Edit IPSEC Connection505
Edit IPSEC Connection545
Edit IPSEC Connection546


© Copyright 2019 Sophos Firewall Limited. All rights reserved.
Sophos Firewall is registered trademarks of Sophos Firewall Limited and Sophos Firewall Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.