VPN settings

Define settings requested for remote access using SSL VPN and L2TP. These include protocols, server certificates, and IP addresses for clients.


Protocol that all SSL VPN clients must use. TCP is recommended for applications that require high reliability such as email, web surfing, and FTP. UDP is suitable for applications that need fast, efficient transmission such as streaming media, DNS, VoIP, and TFTP.
SSL server certificate
Certificate to be used by the SSL VPN server to identify itself to clients.
Override hostname
Hostname to use if the firewall hostname is not reachable. Leave this field empty if you want the firewall hostname to be the target hostname for client VPN connections.
If required, change the port number on which the SSL VPN server is listening. You can use the same port (for example, 443) for secure connections to the user portal and SSL VPN connections that use TCP.
IPv4 lease range
IPv4 address range for SSL clients. This should be a private IP address range.
Subnet mask
Subnet mask to use for the IPv4 address range.
IPv6 lease (IPv6 prefix)
IPv6 address range for SSL clients.
Lease mode
Allocate only IPv4 addresses or both IPv4 and IPv6 addresses.
Primary and secondary DNS servers for your organization.
Primary and secondary Windows Internet Naming Service (WINS) servers for your organization.
Domain name
Hostname of the firewall. Must be specified as a fully qualified domain name (FQDN). The hostname is used in notification messages to identify the firewall.
Disconnect dead peer after
Time, in seconds, after which a dead connection will be terminated by the firewall.
Disconnect idle peer after
Time, in minutes, after which an idle connection will be terminated by the firewall.
Encryption algorithm
Algorithm to use for encrypting the data sent through the VPN tunnel.
Authentication algorithm
Algorithm to use for authenticating messages.
Key size
Key size, in bits. Longer keys are more secure.
Key lifetime
Time, in seconds, after which keys will expire.
Compress SSL VPN traffic
Compress data sent through SSL VPN tunnels prior to encryption.
Enable debug mode
Provide extended information in the SSL VPN log file that is useful for debugging purposes.


  • To allow users to access your network through L2TP, specify settings and click Apply. Then, click Add members and select users.
  • To view users who are allowed access using L2TP, click Show members.
Enable L2TP
Allow access to your network by specified users through L2TP.
Assign IP from
Range from which an IP address is leased to the client. The client uses the assigned address for the duration of the connection. This must be a private IP address range with at least a 24-bit netmask.
Note L2TP and PPTP ranges mustn't overlap with this range.
Allow leasing IP address from RADIUS server for L2TP, PPTP, and Sophos Connect client
When users are authenticated using a RADIUS server, use the IP address provided by the RADIUS server. If the RADIUS server provides no addresses, XG Firewall assigns the static address configured for the user or leases an address from the specified range.
Client information
Primary DNS server to use for connections. Optionally, you can specify a secondary DNS server and WINS servers.