Skip to content

Add an IPsec connection

You can configure host-to-host, site-to-site, and route-based IPsec connections.

For remote access IPsec connections, we recommend that you configure VPN > IPsec (remote access) rather than the remote access (legacy) option.

  1. Go to VPN > IPsec connections and click Add.
  2. Enter a name.
  3. Specify the general settings:

    Name Setting
    IP version The tunnel only forwards data that uses the specified IP version.
    Connection type

    Remote access (legacy): Establishes a secure connection between an individual host and a private network over the internet. To establish a remote connection using this option, remote users must have a third-party VPN client.

    Go to the connection you configured, and download the .tar file. Extract the .tgb file, and share it with users. Users must import it to the VPN client on their endpoint devices. You can't use this configuration file with the Sophos Connect client.

    Site-to-site: Establishes a secure connection between the local and remote subnets over the internet. You can use this connection to connect a branch office to corporate headquarters.

    Host-to-host: Establishes a secure connection between two hosts, for example between two computers.

    Tunnel interface: Establishes a route-based VPN connection and creates a tunnel interface between two endpoints. The interface name is xfrm, followed by a number. You must assign an IP address to the tunnel interface and then configure static or dynamic routing.

    Gateway type

    Action to take when the VPN service or the firewall restarts:

    Disable: Connection remains inactive until a user activates it.

    Respond only: Keeps the connection ready to respond to any incoming request.Initiate the connection: Establishes the connection every time the VPN service or the firewall restarts.

    We recommend setting the gateway at your central location (example: head office) to Respond only and the gateway at your remote locations (example: branch offices) to Initiate the connection.

    Activate on save Activates the connection.
    Create firewall rule

    Creates a firewall rule automatically for this connection.

    Review the rule position on the firewall rule list. Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and are evaluated first. The policies and actions of the rule at the top will apply, which may lead to unplanned outcomes, such as failure in mail delivery or tunnels not being established, when matching criteria for the new and existing rules overlap.

  4. Specify the encryption settings.

    Name Setting
    Policy IPsec policy to use for the traffic.
    Authentication type

    The authentication methods for the connection are as follows:

    • Preshared key: Authenticates endpoints using the secret known to both endpoints. Store this key. You must enter it on the remote firewall.

      All IPsec connections using a preshared key between this configuration's listening interface and remote gateway will use the key you configure here.

    • Digital certificate: Authenticates endpoints by exchanging certificates (locally-signed or issued by a certificate authority).
    • RSA key: Authenticates endpoints using RSA keys.
    Local certificate Certificate used for authentication by the local firewall.
    Remote certificate Certificate used for authentication by the remote firewall.
    Remote CA certificate

    The local firewall authenticates the remote certificate based on the remote CA certificate.

    Using a public CA certificate is a security risk.


    Don't use a public CA as a remote CA certificate for encryption. Attackers can gain unauthorized access to your connections using a valid certificate from the CA.

  5. Specify the local gateway settings.

    Name Setting
    Listening interface Interface that listens for connection requests.
    Local ID type

    For preshared and RSA keys, select an ID type, and type a Local ID value. You can use this for additional validation of tunnels or to identify the firewall during NAT traversal.

    NAT traversal is always on. The local and remote IDs enable the firewall to identify a remote firewall that's behind a router and has a private IP address.

    Local subnet

    Local networks to which you want to provide remote access.

    You can only use this option with policy-based (host-to-host and site-to-site) VPNs.

  6. Specify the remote gateway settings.

    Name Setting
    Gateway address

    IP address or DNS hostname of the remote gateway.

    You can't use the wildcard address (*) for the following:

    • Gateway type set to Initiate the connection.
    • Connection type set to Tunnel interface. You can use instead for tunnel interfaces with Gateway type set to Respond only.

    We recommend the following:

    • Don't use when the firewall initiates the connection. Use a DNS hostname when the remote gateway has a dynamic IP address.
    • Authentication type: Don't use a preshared key. The firewall uses the same preshared key for all IPsec connections from the local gateway you specify to a wildcard remote gateway address.
    Remote ID type

    For preshared and RSA keys, select an ID type, and type a Remote ID value. Use this for additional validation of tunnels.

    You can enter any unique FQDN or hostname, IP address, or email address. For DER ASN1 DN [X.509], paste the distinguished name of the remote firewall's certificate.

    Remote subnet

    Remote networks to which you want to provide access.

    You can only use this option with policy-based (host-to-host and site-to-site) VPNs.

  7. Select Network Address Translation (NAT) to translate the IP addresses if the local and remote subnets overlap.

    • Translated subnet: Shows the local subnets you specify in this policy. Sophos Firewall translates this to the actual subnet.
    • Original subnet: Select the actual subnet. It's the overlapping subnet at your local and the remote sites.


    You can only use this option with policy-based (host-to-host and site-to-site) VPNs. Configure NAT rules to translate IP addresses for route-based VPNs (tunnel interfaces).

  8. Specify the advanced settings:

    Name Setting
    User authentication mode

    Authenticates VPN clients based on XAuth (Extended authentication) in client-server mode. Set the firewall in the central location in server mode.

    XAuth uses your current authentication mechanism, such as AD, RADIUS, or LDAP to authenticate users after the Phase 1 exchange. Typically, organizations use this for remote access IPsec connections.

    Select an option from the following:

    • None: Doesn't enforce user authentication.
    • As client: The local firewall acts as an XAuth client. Enter the username and password for validation with the remote firewall.

      On the remote firewall, set the user authentication method to As server.

    • As server: The firewall acts as an XAuth server. Under Allowed users and groups, select the users you want to allow.

      For the remote firewall, set the user authentication method to As client.

    You must also download the configuration file and share it with users. To download the file, click Download Download button for the connection from the list of configured connections.

    To configure the authentication server for IPsec VPNs, go to Authentication > Services > VPN authentication methods and select the servers.

    Disconnect when idle Disconnects idle clients from the session after the specified time.
    Idle session time interval Time, in seconds, after which the firewall disconnects idle clients.
  9. Click Save.

More resources