Skip to content

IPsec connections

You can configure and manage IPsec VPN connections and failover groups.

You can configure IPsec connections to allow cryptographically secure communication over the public network between two Sophos Firewall devices or between a Sophos Firewall and third-party firewall.

You can configure IPsec VPN connections as follows:

  • Policy-based connections between a pair of hosts or sites
  • Route-based connections between two sites
  • Remote access IPsec VPN connections


With FIPS turned on, certain encryption restrictions apply to ensure a certain encryption strength. For details, see VPN encryption restrictions with FIPS.

IPsec policies

IPsec policies specify the encryption and authentication algorithms and key exchange mechanisms for policy-based and route-based IPsec connections. In IPsec policies, you define the phase 1 and phase 2 security parameters.

You can edit the default IPsec policies or clone them and create custom policies. You can assign a default or custom IPsec policy to IPsec connections. Sophos Firewall establishes IPsec connections based on matching IPsec policies configured at the connection's local and remote ends.

IPsec connections

You can configure policy-based (host-to-host and site-to-site) and route-based (tunnel interface) IPsec connections.

Policy-based connections: You must configure policy-based IPsec connections and the corresponding firewall rules at both networks. If the local and remote subnets overlap, you must specify the NAT setting within the IPsec configuration. To configure IPsec remote access (legacy), host-to-host, or site-to-site connections, you can do one of the following:

  • Click Add and specify the settings.
  • Click Wizard and allow the assistant to help you specify the settings. You can't edit connections using the assistant.

Route-based connections: Currently, you can't create route-based connections using the assistant. When you configure a route-based IPsec connection, Sophos Firewall automatically creates a virtual tunnel interface. The interface appears as an xfrm interface on Network > Interfaces.


Physical interfaces with a virtual interface assigned to them, for example xfrm or VLAN interfaces, have a blue bar on the left. To see the xfrm interface, click the listening interface you've used to configure the route-based IPsec connection. The xfrm interface then appears below this interface.

Interfaces configured with an xfrm interface

You must assign an IP address to the xfrm interface. You then configure the corresponding firewall rules. When the local and remote subnets overlap, you must configure the corresponding NAT rules (Rules and policies > NAT rules). You must configure static, SD-WAN, or dynamic routes for the xfrm interface.


By default, MASQ in an SNAT rule translates the original IP address to the WAN IP address.

However, for route-based VPNs, the firewall translates the original source to the XFRM IP address for the translated source set to MASQ.

You can see the XFRM IP address in TCP dump and packet capture. The IP addresses are shown as follows:
WAN IP address: On the outer IP header of the encapsulated packet.
XFRM IP address: On the inner IP header for the source.

IPsec routes

Sophos Firewall creates IPsec routes automatically when policy-based IPsec tunnels are established. However, you must add IPsec routes for some traffic manually. Some examples are as follows:


If a static or SD-WAN route applies to the remote subnets specified in a policy-based IPsec connection, make sure you set the route precedence to VPN route before static or SD-WAN route. You can do this on the CLI. See the following example:
system route_precedence set vpn static sdwan_policyroute

See how to set route precedence.

Connection status

Connection statuses are of the following two types:

  • Active (active-inactive status): To activate a connection, you can click Activate on save during the configuration. Alternatively, you can click the Active status Icon showing activation status for the connection from the list of configured connections.
  • Connection (established-not established): To establish a connection, you can click Connection status Icon showing connection status for the connection from the list of configured connections.
Active Connection Description
Button showing active status Icon showing connections aren't established Connection is active, but tunnel isn't established.
Button showing active status Icon showing connections are established Connection is active, and tunnels are established.
Button showing active status Icon showing at least one connection's not established Connection is active, but at least one tunnel isn't established. When you configure more than one local or remote subnet, Sophos Firewall establishes a tunnel for each local and remote subnet pair.
Button showing inactive status Icon showing connections aren't established Connection is inactive.

Failover group

A failover group is a sequence of IPsec connections. If the primary connection fails, the next active connection in the group automatically takes over.

Automatic failback: Sophos Firewall checks the remote gateway's health based on the failover condition you specify for the group. It performs the health check at the interval you specify for Gateway failover time-out on Network > WAN link manager.

When the remote gateway is live again, Sophos Firewall tries to restore the primary IPsec connection. If it's unable to restore it, it continues to use the secondary connection and won't check the primary connection again for automatic failback. It will only fail back to the primary if the secondary connection's remote gateway goes down. To restore the primary connection manually, go to the failover group list, and click the status button off and then on for the group. This involves downtime.

When the failover group contains more than two IPsec connections, Sophos Firewall fails back to the first available connection in the group's Member connections.

  • To activate a group and establish the primary connection, click Status Button for changing the status.

Turning off a failover group deactivates the active tunnels belonging to the group. You must activate these tunnels individually if required.

Options for IPsec remote access VPN

IPsec (remote access): We recommend using the IPsec (remote access) configuration rather than the remote access (legacy) configuration. With IPsec (remote access), users can connect using the Sophos Connect client, which allows you to enforce advanced security and flexibility settings.

Users can download the Sophos Connect client from the user portal.

You can use the configuration without the advanced settings with third-party VPN clients.

To configure IPsec (remote access) and download the configuration file, go to VPN > IPsec (remote access).

Remote access (legacy): We recommend that you don't configure new connections using this option. You can go to VPN > IPsec connections and set the connection type to Remote access (legacy).

More resources