FAQs for remote access VPN
Basic FAQs
Can I establish remote access IPsec and SSL VPN tunnels on Windows, macOS, and mobile platforms?
See the following table for VPN clients and configurations for the supported endpoint platforms:
Endpoint OS | IPsec | SSL VPN |
---|---|---|
Windows | Sophos Connect client
| Sophos Connect client
|
macOS | Sophos Connect client
| Third-party VPN client
|
Android | Third-party VPN client
| Third-party VPN client
|
iOS | No client required. Download configuration from VPN portal. | Third-party VPN client
|
Are remote access VPN connections encrypted?
Yes, all traffic between the firewall and the VPN clients is encrypted.
To see the encryption settings, do as follows:
- IPsec VPN: Go to Remote access VPN > IPsec and click IPsec profiles. On the IPsec profiles tab, see Encryption algorithm.
- SSL VPN: Go to Remote access VPN > SSL VPN and click SSL VPN global settings. On the SSL VPN global settings tab, see Cryptographic settings.
Provisioning file
SSL VPN connections are established on gateways that aren't configured in the provisioning (.pro
) file.
The Sophos Connect client only uses the gateways entered in the .pro
file to connect to the VPN portal and fetch the remote access VPN configurations. These gateways aren't used for establishing VPN connections.
IPsec: Tunnels are established using the interface you select in the configuration.
SSL VPN: Tunnels are established over the interfaces configured on Network > Interfaces if you've allowed SSL VPN from their zones (Administration > Device access > Local service ACL). These are listed in the .ovpn
file.
To use the public IP address or a specific IP address for SSL VPN, go to SSL VPN global settings and enter it in Override hostname. See SSL VPN global settings.
How can I use the provisioning and configuration files if the firewall is behind a router?
Provisioning file: Enter the FQDN or public IP address of the router. Configure the router's DNAT settings to forward the traffic to the firewall.
IPsec: In the .scx
file, manually change the gateway address to the router's WAN IP address, then configure the router's settings.
SSL VPN: On SSL VPN global settings, set Override hostname to the public FQDN or the router's WAN IP address, then configure the router's settings.
When should users manually import IPsec and SSL VPN configuration changes to the Sophos Connect client?
IPsec: Users must click Edit connection on the Sophos Connect client, click Update policy, and download the configuration from the VPN portal.
SSL VPN: For changes to the port, protocol, gateway, and SSL server certificate on SSL VPN global settings, users must click Update policy in the client. See When SSL VPN users must download the configuration again.
If you use the .pro
file, it automatically fetches some SSL VPN configuration updates. Alternatively, reinstall the .pro
file on users' endpoints to fetch the IPsec and SSL VPN configurations again.
Untrusted certificate error appears when the provisioning file is used.
The error appears if you use the firewall's default certificate for the web admin console and the VPN portal (Administration > Admin and user settings). The .pro
file connects to the VPN portal to fetch the VPN configurations resulting in the error because the default certificate's private.
Multi-factor authentication
How do I implement MFA for remote access VPN users?
Go to Authentication > Multi-factor authentication and configure MFA. See Configure MFA with an authenticator app
Make sure you select the following:
- User portal
- SSL VPN remote access
- IPsec remote access
How do I implement an independent input field for OTP in the Sophos Connect client?
To show the third input field, do as follows:
- IPsec: Go to Remote access > IPsec. Under Advanced settings, select Prompt users for 2FA token and click Apply.
-
IPsec and SSL VPN: Set the following values in the provisioning file:
- otp:
true
- 2fa:
1
- otp:
Does Sophos Connect client support challenge-based MFA?
No. Currently, the Sophos Connect client doesn't support OTP challenge. It sends the password and OTP details in passwordotp
format to the authentication server. So, when the authentication server sends an OTP challenge, it doesn't receive the OTP alone, and authentication doesn't take place.
The Sophos Connect client supports Call and Push-based MFA. The VPN portal and web admin console support challenge-based MFA in addition to these.
Remote access IPsec
Can I establish remote access IPsec connections on more than one WAN interface?
Currently, you can only establish remote access IPsec connections on a single WAN interface.
Remote access SSL VPN
Why can't I add subnets smaller than /24 in SSL VPN global settings?
The firewall runs SSL VPN tunnels in multiple instances, depending on the number of CPUs in the model. Each instance creates a tun0
interface, which requires an independent subnet for routing and internal traffic distribution.
The firewall automatically slices subnets from the configured network address and subnet and assigns them to the tun0
interfaces. Smaller subnets, such as /25
and smaller, result in fewer IP addresses for lease.
For example, a 192.168.0.0/27
network in a firewall with eight concurrent instances has a single leasable IP address after assigning the subnets to the eight tun0
interfaces.