IPsec (remote access)

You can establish remote access IPsec VPN connections using the Sophos Connect client.

You can download the Sophos Connect client by clicking Download client on the IPsec (remote access) page.

You can update to the latest version of Sophos Connect client on Backup & Firmware > Pattern updates.

To export an IPsec remote access connection, turn on IPsec remote access, specify the settings, and click Export connection. This generates a .scx file and a .tgb file.

Restriction You cannot export the connection when an external certificate is selected as Remote certificate.

To revert to factory settings, click Reset.

Configure IPsec remote access connections

To allow remote access to your network through the Sophos Connect client using an IPsec connection, do as follows:

  1. To turn on IPsec remote access, click VPN > IPsec (remote access) and select Enable.
  2. Specify the settings on the page and click Apply. This creates the .scx and .tgb configuration files. The .tgb file doesn't have the advanced settings.
  3. If you don't have a firewall rule allowing traffic between the LAN and the VPN zones, add a firewall rule so that the Sophos Connect clients can access the configured LAN networks. For information on how to add a firewall rule, see Add a firewall rule. If you want to allow LAN and VPN traffic in both directions, add both LAN and VPN to the source and destination zones. If you want to allow specific traffic for each direction, you need to create separate rules.
  4. Click Export connection to download the configuration files and share the .scx file with users.

Remote users

Users can download the Sophos Connect client from the user portal. They can then import the .scx file you share with them.

Sophos Connect client then establishes the connection.

General settings

Name

Description

IPsec (remote access)

Turn on the IPsec remote access client.

Interface

Select a WAN port, which acts as the endpoint for the tunnel.

Authentication type

Authentication to use for the connection.

Preshared key: Authenticates endpoints using the secret known to both endpoints.

Digital certificate: Authenticates endpoints by exchanging certificates (either self-signed or issued by a certificate authority).

Local ID

For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted.

The Local ID identifies the local gateway to connect to and can’t be the same as the Remote ID.

Always configure the Local ID to make sure clients connect to the correct XG Firewall.

The following values are available:

DNS: Enter an FQDN, for example, xg.example.com. This value isn't checked against DNS and is only used to identify the tunnel. If the value is changed, the user must download the updated configuration file.

IP Address: Enter the WAN IP address of the XG Firewall.

Email: Enter an email address, for example, xg@example.com. This can be any email address. If the value is changed, the user must download the updated configuration file.

DER ASN1 DN [X509]: Only available when Authentication type is Digital certificate. The appliance certificate is automatically selected, and the certificate values are populated.

Remote ID

For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted.

The Remote ID identifies the remote client and can't be the same as the Local ID.

You don't need to enter the remote ID. The system uses the value ANY. The remote ID is useful if you have a lot of clients connecting through the Sophos Connect client.

The following values are available:

DNS: Enter an FQDN, for example, xg.example.com. This value is not checked against DNS and is only used to identify the tunnel. If the value is changed, the user must download the updated configuration file. The value must be different from the one entered for Local ID.

IP Address: Enter an IP address. This must be different from the one entered for Local ID and can be a dummy IP address, for example, 1.1.1.1.

Email: Enter an email address, for example, xg@example.com. This can be any email address. If the value is changed, the user must download the updated configuration file. This must be different from the one entered for Local ID.

DER ASN1 DN [X509]: Only available when Authentication type is Digital certificate. You must upload the certificate to XG Firewall, then select it from the drop-down list next to Remote certificate.

Allowed users and groups

Add users and groups who are allowed to connect using the Sophos Connect client.

Note If you haven't configured the WAN interface of XG Firewall with its public IP address, you must modify the configuration file in Sophos Connect Admin. Configure the target host as the public IP address or FQDN of XG Firewall.

Client information

Name

Description

Name

Specify a name for the connection.

Assign IP from

Range from which an IP address is leased to the client. The client uses the assigned address for the duration of the connection. This must be a private IP address range with at least a 24-bit netmask.

The IP address range leased to the IPsec remote access clients mustn't contain IP addresses that are in use.

Allow leasing IP address from RADIUS server for L2TP, PPTP, and IPsec remote access

When users are authenticated using a RADIUS server, use the IP address provided by the RADIUS server. If the RADIUS server provides no addresses, XG Firewall assigns the static address configured for the user or leases an address from the specified range.

DNS server 1

DNS server 2

Primary and secondary DNS servers to use for the connection.

Idle settings

Name

Description

Disconnect when tunnel is idle

Disconnects idle clients from the session after the specified time.

Idle session time interval

Time, in seconds, after which idle clients are disconnected.

Advanced settings

XG Firewall only adds these settings to the .scx file used with Sophos Connect clients. The .tgb file won't have these settings. The .tgb file is compatible with third-party clients.
Note If you update any of the advanced settings, for the changes to take effect, you must share the configuration file again with the users.

Setting

Description

Use as default gateway

Turn it on to send all traffic, including external internet requests, to the interface you specify for IPsec remote access.

Turn it off to allow access only to permitted resources within the network. For traffic outside the network, the client then connects to the internet directly.

Permitted network resources (IPv4)

Select the resources to which this policy permits access.

Send Security Heartbeat through tunnel

If Sophos Endpoint Protection client is installed on users' endpoint devices, it sends a heartbeat to XG Firewall through the tunnel.

Allow users to save username and password

It allows users to save their credentials on their device. User credentials are stored securely using keychain services.

Prompt users for 2FA token

Turn it on if you've configured multi-factor authentication for VPN users on Authentication > One-time password or using third-party OTP tokens.

Run AD logon script after connecting

Select to run the script that applies automatically to Active Directory users when they sign in. For example, you can map network drives and set default resources the user can access.

Connect tunnel automatically

Select to turn on the connection automatically when users sign in to the remote access client. The client won't automatically start the connection if the user is already connected to the network.

Hostname or DNS suffix to monitor

Enter the hostname or DNS suffix within the network. It helps you monitor automatic connections, showing that the user's endpoint device is connected to the host through the tunnel.

Specify a hostname or suffix that can only resolve through an internal DNS server. You need to allow ICMP probes for the host.

Assign client DNS suffix

Enter the DNS suffix. XG Firewall appends the domain name to all the tunnel requests.