Add an IPsec connection
You can configure host-to-host, site-to-site, and route-based IPsec connections.
- Go to VPN > IPsec connections and click Add.
- Enter a name.
-
Specify the general settings:
Option Description IP version
The tunnel only forwards data that uses the specified IP version.
Connection type
Remote access (legacy): Establishes a secure connection between an individual host and a private network over the internet. To establish a remote connection using this option, remote users must have a third-party VPN client.
Go to the connection you configured, and download the .tar file. Extract the .tgb file, and share it with users. Users must import it to the VPN client on their endpoint devices. You can't use this configuration file with the Sophos Connect client.
Site-to-site: Establishes a secure connection between the local and remote subnets over the internet. The connection is frequently used to connect a branch office to corporate headquarters.
Host-to-host: Establishes a secure connection between two hosts, for example, between two computers.
Tunnel interface: Establishes a route-based VPN connection and creates a tunnel interface between two endpoints. The interface name is xfrm, followed by a number. You must assign an IP address to the tunnel interface and then configure static or dynamic routing.
Gateway type
Action to take when the VPN service or the firewall restarts:
Disable: Connection remains inactive until a user activates it.
Respond only: Keeps the connection ready to respond to any incoming request.
Initiate the connection: Establishes the connection every time the VPN service or the firewall restarts.
We recommend setting the gateway at your central location (example: head office) to Respond only and the gateway at your remote locations (example: branch offices) to Initiate the connection. You can troubleshoot connection errors more efficiently using the logs on the initiating device.
Activate on save
Activates the connection.
Create firewall rule
Creates a firewall rule automatically for this connection.
Review the rule position on the firewall rule list. Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and are evaluated first. The policies and actions of the rule at the top will apply, which may lead to unplanned outcomes, such as failure in mail delivery or tunnels not being established, when matching criteria for the new and existing rules overlap.
-
Specify the encryption settings.
Option Description Policy
IPsec policy to use for the traffic.
Authentication type
The authentication methods for the connection are as follows:
Preshared key: Authenticates endpoints using the secret known to both endpoints.
Digital certificate: Authenticates endpoints by exchanging certificates (self-signed or issued by a certificate authority).
RSA key: Authenticates endpoints using RSA keys.
Local certificate
Certificate used for authentication by the local firewall.
Remote certificate
Certificate used for authentication by the remote firewall.
Warning Don't use a public CA as a remote CA certificate for encryption. Attackers can gain unauthorized access to your connections using a valid certificate from the CA. -
Specify the local gateway settings.
Option Description Listening interface
Interface that listens for connection requests.
Local ID type
For preshared and RSA keys, select an ID type, and type a Local ID value. Use this for additional validation of tunnels.
Local subnet
Local networks to which you want to provide remote access.
You can only use this option with policy-based (host-to-host and site-to-site) VPNs.
-
Specify the remote gateway settings.
Option Description Gateway address
IP address of the remote gateway. You can use a wildcard when the remote firewall has a dynamic IP address.
If you specify a wildcard IP address (*), you can't set Gateway type to Initiate the connection because XG Firewall won't know with whom to connect.
You can't use * for tunnel interfaces.
Remote ID type
For preshared and RSA keys, select an ID type, and type a Remote ID value. Use this for additional validation of tunnels.
Remote subnet
Remote networks to which you want to provide access.
You can only use this option with policy-based (host-to-host and site-to-site) VPNs.
- Optional
Select Network Address Translation (NAT) to
translate the IP addresses if the local and remote subnets overlap.
- Translated subnet: Shows the local subnets you specify in this policy. XG Firewall translates this to the actual subnet.
- Original subnet: Select the actual subnet. It's the overlapping subnet at your local and the remote sites.
Note You can only use this option with policy-based (host-to-host and site-to-site) VPNs. Configure NAT rules to translate IP addresses for route-based VPNs (tunnel interfaces). -
Specify the advanced settings:
Option Description User authentication mode
Authenticates VPN clients based on XAuth (Extended authentication) in client-server mode. Set the firewall in the central location in server mode.
XAuth uses your current authentication mechanism, such as AD, RADIUS, or LDAP to authenticate users after the Phase 1 exchange. Typically, organizations use this for remote access IPsec connections.
Select an option from the following:
- None: Doesn't enforce user authentication.
- As client: The
local firewall acts as an XAuth client. Enter the username and password for
validation with the remote firewall.
On the remote firewall, set the user authentication method to As server.
- As server: The
firewall acts as an XAuth server. Under Allowed users and
groups, select the users you want to allow.
For the remote firewall, set the user authentication method to As client.
You must also download the configuration file and share it with users. To download the file, click Download
for the connection from the list of configured connections.
To configure the authentication server for IPsec VPNs, go to Authentication > Services > VPN authentication methods and select the servers.
Disconnect when idle
Disconnects idle clients from the session after the specified time.
Idle session time interval
Time, in seconds, after which the firewall disconnects idle clients.
- Click Save.