Add an IPsec connection

You can configure host-to-host, site-to-site, and route-based IPsec connections.

For remote access IPsec connections, we recommend that you configure VPN > IPsec (remote access) rather than the remote access (legacy) option.
  1. Go to VPN > IPsec connections and click Add.
  2. Enter a name.
  3. Specify the general settings:
    OptionDescription

    IP version

    The tunnel only forwards data that uses the specified IP version.

    Connection type

    Remote access (legacy): Establishes a secure connection between an individual host and a private network over the internet. To establish a remote connection using this option, remote users must have a third-party VPN client.

    Go to the connection you configured, and download the .tar file. Extract the .tgb file, and share it with users. Users must import it to the VPN client on their endpoint devices. You can't use this configuration file with the Sophos Connect client.

    Site-to-site: Establishes a secure connection between the local and remote subnets over the internet. The connection is frequently used to connect a branch office to corporate headquarters.

    Host-to-host: Establishes a secure connection between two hosts, for example, between two computers.

    Tunnel interface: Establishes a route-based VPN connection and creates a tunnel interface between two endpoints. The interface name is xfrm, followed by a number. You must assign an IP address to the tunnel interface and then configure static or dynamic routing.

    Gateway type

    Action to take when the VPN service or the firewall restarts:

    Disable: Connection remains inactive until a user activates it.

    Respond only: Keeps the connection ready to respond to any incoming request.

    Initiate the connection: Establishes the connection every time the VPN service or the firewall restarts.

    We recommend setting the gateway at your central location (example: head office) to Respond only and the gateway at your remote locations (example: branch offices) to Initiate the connection. You can troubleshoot connection errors more efficiently using the logs on the initiating device.

    Activate on save

    Activates the connection.

    Create firewall rule

    Creates a firewall rule automatically for this connection.

    Review the rule position on the firewall rule list. Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and are evaluated first. The policies and actions of the rule at the top will apply, which may lead to unplanned outcomes, such as failure in mail delivery or tunnels not being established, when matching criteria for the new and existing rules overlap.
  4. Specify the encryption settings.
    OptionDescription

    Policy

    IPsec policy to use for the traffic.

    Authentication type

    The authentication methods for the connection are as follows:

    Preshared key: Authenticates endpoints using the secret known to both endpoints.

    Digital certificate: Authenticates endpoints by exchanging certificates (self-signed or issued by a certificate authority).

    RSA key: Authenticates endpoints using RSA keys.

    Local certificate

    Certificate used for authentication by the local firewall.

    Remote certificate

    Certificate used for authentication by the remote firewall.
    Warning Don't use a public CA as a remote CA certificate for encryption. Attackers can gain unauthorized access to your connections using a valid certificate from the CA.
  5. Specify the local gateway settings.
    OptionDescription

    Listening interface

    Interface that listens for connection requests.

    Local ID type

    For preshared and RSA keys, select an ID type, and type a Local ID value. Use this for additional validation of tunnels.

    Local subnet

    Local networks to which you want to provide remote access.

    You can only use this option with policy-based (host-to-host and site-to-site) VPNs.
  6. Specify the remote gateway settings.
    OptionDescription

    Gateway address

    IP address of the remote gateway. You can use a wildcard when the remote firewall has a dynamic IP address.

    If you specify a wildcard IP address (*), you can't set Gateway type to Initiate the connection because XG Firewall won't know with whom to connect.

    You can't use * for tunnel interfaces.

    Remote ID type

    For preshared and RSA keys, select an ID type, and type a Remote ID value. Use this for additional validation of tunnels.

    Remote subnet

    Remote networks to which you want to provide access.

    You can only use this option with policy-based (host-to-host and site-to-site) VPNs.
  7. Optional Select Network Address Translation (NAT) to translate the IP addresses if the local and remote subnets overlap.
    • Translated subnet: Shows the local subnets you specify in this policy. XG Firewall translates this to the actual subnet.
    • Original subnet: Select the actual subnet. It's the overlapping subnet at your local and the remote sites.
    Note You can only use this option with policy-based (host-to-host and site-to-site) VPNs. Configure NAT rules to translate IP addresses for route-based VPNs (tunnel interfaces).
  8. Specify the advanced settings:
    OptionDescription

    User authentication mode

    Authenticates VPN clients based on XAuth (Extended authentication) in client-server mode. Set the firewall in the central location in server mode.

    XAuth uses your current authentication mechanism, such as AD, RADIUS, or LDAP to authenticate users after the Phase 1 exchange. Typically, organizations use this for remote access IPsec connections.

    Select an option from the following:

    • None: Doesn't enforce user authentication.
    • As client: The local firewall acts as an XAuth client. Enter the username and password for validation with the remote firewall.

      On the remote firewall, set the user authentication method to As server.

    • As server: The firewall acts as an XAuth server. Under Allowed users and groups, select the users you want to allow.

      For the remote firewall, set the user authentication method to As client.

      You must also download the configuration file and share it with users. To download the file, click Download Download button for the connection from the list of configured connections.

    To configure the authentication server for IPsec VPNs, go to Authentication > Services > VPN authentication methods and select the servers.

    Disconnect when idle

    Disconnects idle clients from the session after the specified time.

    Idle session time interval

    Time, in seconds, after which the firewall disconnects idle clients.
  9. Click Save.