FAQs for remote access VPN

See the following table for VPN clients and configurations for the supported endpoint platforms:

See Supported platforms for Sophos Connect client.

The Sophos Connect client only uses the gateways entered in the .pro file to connect to the VPN portal and fetch the remote access VPN configurations. These gateways aren't used for establishing VPN connections.

IPsec: Tunnels are established using the interface you select in the configuration.

SSL VPN: Tunnels are established over the interfaces configured on Network > Interfaces if you've allowed SSL VPN from their zones (Administration > Device access > Local service ACL). These are listed in the .ovpn file.

To use the public IP address or a specific IP address for SSL VPN, go to SSL VPN global settings and enter it in Override hostname. See SSL VPN global settings.

Provisioning file: Enter the FQDN or public IP address of the router. Configure the router's DNAT settings to forward the traffic to the firewall.

IPsec: In the .scx file, manually change the gateway address to the router's WAN IP address, then configure the router's settings.

SSL VPN: On SSL VPN global settings, set Override hostname to the public FQDN or the router's WAN IP address, then configure the router's settings.

IPsec: Users must click Edit connection on the Sophos Connect client, click Update policy, and download the configuration from the VPN portal.

SSL VPN: For changes to the port, protocol, gateway, and SSL server certificate on SSL VPN global settings, users must click Update policy in the client. See When SSL VPN users must download the configuration again.

If you use the .pro file, it automatically fetches some SSL VPN configuration updates. Alternatively, reinstall the .pro file on users' endpoints to fetch the IPsec and SSL VPN configurations again.

The error appears if you use the firewall's default certificate for the web admin console and the VPN portal (Administration > Admin and user settings). The .pro file connects to the VPN portal to fetch the VPN configurations resulting in the error because the default certificate's private.

See Remove untrusted certificate error.

Go to Authentication > Multi-factor authentication and configure MFA. See Configure MFA with an authenticator app

Make sure you select the following:

• User portal
• SSL VPN remote access
• IPsec remote access

To show the third input field, do as follows:

• IPsec: Go to Remote access > IPsec. Under Advanced settings, select Prompt users for 2FA token and click Apply.

• IPsec and SSL VPN: Set the following values in the provisioning file:

  • otp: true
  • 2fa: 1

  See Set up MFA for remote access SSL VPN.

No. Currently, the Sophos Connect client doesn't support OTP challenge. It sends the password and OTP details in passwordotp format to the authentication server. So, when the authentication server sends an OTP challenge, it doesn't receive the OTP alone, and authentication doesn't take place.

The Sophos Connect client supports Call and Push-based MFA. The VPN portal and web admin console support challenge-based MFA in addition to these.

Currently, you can only establish remote access IPsec connections on a single WAN interface.

The firewall runs SSL VPN tunnels in multiple instances, depending on the number of CPUs in the model. Each instance creates a tun0 interface, which requires an independent subnet for routing and internal traffic distribution.

The firewall automatically slices subnets from the configured network address and subnet and assigns them to the tun0 interfaces. Smaller subnets, such as /25 and smaller, result in fewer IP addresses for lease.

For example, a 192.168.0.0/27 network in a firewall with eight concurrent instances has a single leasable IP address after assigning the subnets to the eight tun0 interfaces.