Skip to content

IPsec (remote access)

You can establish remote access IPsec VPN connections using the Sophos Connect client.

You can download the Sophos Connect client by clicking Download client on the IPsec (remote access) page.

You can update to the latest version of Sophos Connect client on Backup & Firmware > Pattern updates.

To export an IPsec remote access connection, turn on IPsec remote access, specify the settings, and click Export connection. This generates a .scx file and a .tgb file.

Note

You cannot export the connection when an external certificate is selected as Remote certificate.

To revert to factory settings, click Reset.

Configure IPsec remote access connections

To allow remote access to your network through the Sophos Connect client using an IPsec connection, do as follows:

  1. To turn on IPsec remote access, click VPN > IPsec (remote access) and select Enable.
  2. Specify the settings on the page and click Apply. This creates the .scx and .tgb configuration files. The .tgb file doesn't have the advanced settings.
  3. If you don't have a firewall rule allowing traffic between the LAN and the VPN zones, add a firewall rule so that the Sophos Connect clients can access the configured LAN networks. For information on how to add a firewall rule, see Add a firewall rule. If you want to allow LAN and VPN traffic in both directions, add both LAN and VPN to the source and destination zones. If you want to allow specific traffic for each direction, you need to create separate rules.
  4. Click Export connection to download the configuration files and share the .scx file with users.

Remote users

Users can download the Sophos Connect client from the user portal. They can then import the .scx file you share with them.

Sophos Connect client then establishes the connection.

General settings

Name Description
IPsec (remote access) Turn it on.
Interface Select a WAN port, which acts as the endpoint for the tunnel.
Authentication type Authentication to use for the connection.

Preshared key: Authenticates endpoints using the secret known to both endpoints.

Digital certificate: Authenticates endpoints by exchanging certificates (locally-signed or issued by a certificate authority).
Local ID For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted. The Local ID identifies the local gateway to connect to and can’t be the same as the Remote ID.

Always configure the Local ID to make sure clients connect to the correct Sophos Firewall.

The following values are available:

DNS: Enter an FQDN (example: xg.example.com). This value isn't checked against DNS and is only used to identify the tunnel. If the value is changed, the user must download the updated configuration file.

IP Address: Enter the WAN IP address of the Sophos Firewall.

Email: Enter an email address (example: xg@example.com). This can be any email address. If the value is changed, the user must download the updated configuration file.

DER ASN1 DN [X509]: Only available when Authentication type is Digital certificate. The appliance certificate is automatically selected, and the certificate values are populated.
Remote ID For preshared key, select an ID type and enter a value. DER ASN1DN (X.509) isn't accepted.

The Remote ID identifies the remote client and can't be the same as the Local ID.

You don't need to enter the remote ID. The system uses the value ANY. The remote ID is useful if you have a lot of clients connecting through the Sophos Connect client.

The following values are available:

DNS: Enter an FQDN (example: xg.example.com). This value is not checked against DNS and is only used to identify the tunnel. If the value is changed, the user must download the updated configuration file. The value must be different from the one entered for Local ID.

IP Address: Enter an IP address. This must be different from the one entered for Local ID and can be a dummy IP address (example: 1.1.1.1).

Email: Enter an email address (example: xg@example.com). This can be any email address. If the value is changed, the user must download the updated configuration file. This must be different from the one entered for Local ID.

DER ASN1 DN [X509]: Only available when Authentication type is Digital certificate. You must upload the certificate to Sophos Firewall, then select it from the drop-down list next to Remote certificate.
Allowed users and groups Add preconfigured users and groups who can connect using the Sophos Connect client.

Note

If you haven't configured the WAN interface of Sophos Firewall with its public IP address, you must modify the configuration file in Sophos Connect Admin. Configure the target host as the public IP address or FQDN of Sophos Firewall.

Client information

Name Description
Name Specify a name for the connection.
Assign IP from Range from which an IP address is leased to the client. The client uses the assigned address for the duration of the connection. This must be a private IP address range with at least a 24-bit netmask.

The IP address range leased to the IPsec remote access clients mustn't contain IP addresses that are in use.
Allow leasing IP address from RADIUS server for L2TP, PPTP, and IPsec remote access When users are authenticated using a RADIUS server, use the IP address provided by the RADIUS server. If the RADIUS server provides no addresses, Sophos Firewall assigns the static address configured for the user or leases an address from the specified range.
DNS server 1
DNS server 2
Primary and secondary DNS servers to use for the connection.

Idle settings

Name Description
Disconnect when tunnel is idle Disconnects idle clients from the session after the specified time.
Idle session time interval Time, in seconds, after which the firewall disconnects idle clients.

Advanced settings

Sophos Firewall only adds these settings to the .scx file used with Sophos Connect clients. The .tgb file won't have these settings. The .tgb file is compatible with third-party clients.

Note

If you update any of the advanced settings, for the changes to take effect, you must share the configuration file again with the users.

Name Description
Use as default gateway Turn it on to send all traffic, including external internet requests, to the interface you specify for IPsec remote access. To allow the Sophos Connect client users to send their internet requests through Sophos Firewall, you must configure a firewall rule with the source zone set to VPN and the destination zone set to WAN.

Turn this option off to allow access only to permitted resources within the network. For traffic outside the network, the client then connects to the internet directly.

This setting applies to all the Allowed users and groups you specify in the General settings. If you want to turn on this option for some users and turn it off for other users, use SSL VPN (remote access).
Permitted network resources (IPv4) Select the resources to which this policy permits access.
Send Security Heartbeat through tunnel If Sophos Endpoint Protection client is installed on users' endpoint devices, it sends a heartbeat to Sophos Firewall through the tunnel.
Allow users to save username and password It allows users to save their credentials on their device. User credentials are stored securely using keychain services.

We recommend turning this option on if you select Connect tunnel automatically.
Prompt users for 2FA token Turn it on if you've configured multi-factor authentication for VPN users on Authentication > One-time password or using third-party OTP tokens.

Sophos Firewall asks users to enter an MFA token and then appends the token to the password when users sign in.
Run AD logon script after connecting Select to run the script that applies automatically to Active Directory users when they sign in. For example, you can run scripts that map network drives and set default resources the user can access.
Connect tunnel automatically Select to automatically turn on the connection when users sign in to their endpoint devices.
Hostname or DNS suffix to monitor Enter a hostname or DNS suffix within the network. It helps you monitor automatic connections, showing whether the user's endpoint device is connected to the host through the tunnel.

Specify a hostname or suffix that can only resolve through an internal DNS server. You need to allow ICMP probes for the host.
Assign client DNS suffix Enter the DNS suffix. Sophos Firewall appends the domain name to all clients when they connect.

More resources

Back to top