Configure IPsec remote access VPN with Sophos Connect client

You can configure IPsec remote access connections. Users can establish the connection using the Sophos Connect client.


The Sophos Connect client allows you to enforce advanced security and flexibility settings, such as connecting the tunnel automatically. To configure and establish IPsec remote access connections over the Sophos Connect client, do as follows:

  • Configure the IPsec remote access connection.
  • Send the configuration file to users.
  • Add a firewall rule.
  • Send the Sophos Connect client to users. Alternatively, users can download it from the user portal.

Users must do as follows:

  • Install the Sophos Connect client on their endpoint devices.
  • Import the configuration file into the client and establish the connection.

Configure IPsec (remote access)

Specify the settings for IPsec remote access connections.
  1. Go to VPN > IPsec (remote access) and click Enable.
  2. Specify the general settings:




    Select a WAN port.

    Authentication type

    Specify a preshared key or the local and remote certificates.

    Local ID

    Remote ID

    Specify the IDs if required.

    Allowed users and groups

    Select the users and groups you want to allow.

    Here's an example:

    General settings
  3. Specify the client information. The following settings are an example:





    Assign IP from

    DNS server 1

    Client information settings
  4. Specify the advanced settings you want and click Apply.



    Permitted network resources (IPv4)



    Send Security Heartbeat through tunnel

    Sends the Security Heartbeat of remote clients through the tunnel.

    Allow users to save username and password

    Users can save their credentials.

    Here's an example:

    Advanced settings
  5. Click Export connection.

    The exported tar.gz file contains a .scx file and a .tgb file.

    Export the configuration file
  6. Send the .scx file to users.
  7. Optional To assign a static IP address to a user connecting through the Sophos Connect client, do as follows:
    1. Go to Authentication > Users, and select the user.
    2. On the user's settings page, go down to IPsec remote access, click Enable, and enter an IP address.

      Here's an example:

      Assign static IP address to a user connecting through the Sophos Connect client

Add a firewall rule

Configure a firewall rule to allow traffic from VPN to LAN and DMZ since you want to allow remote users to access these zones in this example.
  1. Enter a name.
  2. Specify the source and destination zones as follows and click Apply:



    Source zones


    Destination zones



    Here's an example:

    Source and destination zones in the firewall rule
    Note Under advanced settings for IPsec (remote access), if you select Use as default gateway, the Sophos Connect client sends all traffic, including traffic to the internet, from the remote user through the tunnel. To allow this traffic, you must additionally set the Destination zone to WAN in the firewall rule.

Configure Sophos Connect client on endpoint devices

Users must install the Sophos Connect client on their endpoint devices and import the .scx file to the client.

You can download the Sophos Connect client installers from the Sophos Firewall web admin console and share these with users. Alternatively, users can download the Sophos Connect client from the user portal.

Here, we show how users can download the client from the user portal. Users must do as follows:

  1. Sign in to the user portal and go to VPN. Under Sophos Connect client (IPsec and SSL VPN), click one of the following options:
    • Download client for Windows
    • Download client for macOS

    Installers for the Sophos Connect client
  2. Run the Sophos Connect client.

    You can then see it in the system tray of your endpoint device.

  3. Click the three dots button in the upper-right corner, click Import connection, and select the .scx file your IT administrator has sent.

    Import connection
  4. Sign in using your user portal credentials.

    Sign in to the Sophos Connect client
  5. Enter the verification code if two-factor authentication is required.