Skip to content
Last update: 2021-10-15

VPN settings

Define settings requested for remote access using SSL VPN and L2TP. These include protocols, server certificates, and IP addresses for clients.


Protocol: Protocol that all SSL VPN clients must use. TCP is recommended for applications that require high reliability such as email, web surfing, and FTP. UDP is suitable for applications that need fast, efficient transmission such as streaming media, DNS, VoIP, and TFTP.

SSL server certificate: Certificate to be used by the SSL VPN server to identify itself to clients.

Override hostname: Hostname to use if the firewall hostname is not reachable. Leave this field empty if you want the firewall hostname to be the target hostname for client VPN connections.

Port: If required, change the port number on which the SSL VPN server is listening.

Scenario one: SSL VPN traffic can flow through any WAN IP address. However, when you configure the same port (for example, 443) and protocol (TCP) for SSL VPN and WAF, SSL VPN traffic can’t flow through the IP address (Hosted address) configured in the WAF rules.

Here's an example:

WAN IP address Any WAN IP address except
Port 443 443
Protocol TCP TCP

Scenario two: When you configure SSL VPN and WAF over different protocols, SSL VPN can additionally use the IP address (Hosted address) and port configured for WAF. To do this, you must configure UDP for SSL VPN since WAF always uses TCP.

Here's an example:

WAN IP address Any WAN IP address, including
Port 443 443
Protocol TCP UDP

IPv4 lease range: IPv4 address range for SSL clients. This should be a private IP address range.

Subnet mask: Subnet mask to use for the IPv4 address range.

IPv6 lease (IPv6 prefix): IPv6 address range for SSL clients.

Lease mode: Allocate only IPv4 addresses or both IPv4 and IPv6 addresses.

IPv4 DNS: Primary and secondary DNS servers for your organization.

IPv4 WINS: Primary and secondary Windows Internet Naming Service (WINS) servers for your organization.

Domain name: Hostname of the firewall. Must be specified as a fully qualified domain name (FQDN). The hostname is used in notification messages to identify the firewall.

Disconnect dead peer after: Time, in seconds, after which a dead connection will be terminated by the firewall.

Disconnect idle peer after: Time, in minutes, after which an idle connection will be terminated by the firewall.

Encryption algorithm: Algorithm to use for encrypting the data sent through the VPN tunnel.

Authentication algorithm: Algorithm to use for authenticating messages.

Key size: Key size, in bits. Longer keys are more secure.

Key lifetime: Time, in seconds, after which keys will expire.

Compress SSL VPN traffic: Compress data sent through SSL VPN tunnels prior to encryption.

Enable debug mode: Provide extended information in the SSL VPN log file that is useful for debugging purposes.


  • To allow users to access your network through L2TP, specify settings and click Apply. Then, click Add members and select users.
  • To view users who are allowed access using L2TP, click Show members.

Enable L2TP: Allow access to your network by specified users through L2TP.

Assign IP from: Range from which an IP address is leased to the client. The client uses the assigned address for the duration of the connection. This must be a private IP address range with at least a 24-bit netmask.


L2TP and PPTP ranges mustn't overlap with this range.

Allow leasing IP address from RADIUS server for L2TP, PPTP, and Sophos Connect client: When users are authenticated using a RADIUS server, use the IP address provided by the RADIUS server. If the RADIUS server provides no addresses, Sophos Firewall assigns the static address configured for the user or leases an address from the specified range.

Client information: Primary DNS server to use for connections. Optionally, you can specify a secondary DNS server and WINS servers.

Back to top