Remote access IPsec settings
You can configure the remote access IPsec VPN settings. You can then export the connection and share the configuration file with users.
If you update any general or advanced settings, you must share the configuration file again with users for the changes to take effect. The
.tgb file contains only the general settings, and the
.scx file contains both general and advanced settings.
- Go to Remote access VPN > IPsec.
- Specify the following settings.
|IPsec remote access
|Click Enable to turn it on.
|Select a WAN port, which acts as the endpoint for the tunnel.
Select a profile to apply the phase 1 and phase 2 IKE (Internet Key Exchange) parameters.
You can only select IKEv1 profiles with Dead Peer Detection (DPD) turned off or set to Disconnect.
|Authentication to use for the connection.
Preshared key: If you use a preshared key, it's added to the configuration file. Users don't need to know the preshared key.
Digital certificate: You can use locally-signed certificates or those issued by a certificate authority.
Make sure the certificate has a certificate ID.
|If you've selected a digital certificate, upload a remote certificate, or configure a locally-signed certificate on Certificates > Certificates, then select it here.
Don't select the option External certificate.
We recommend configuring a local ID to make sure clients connect to the correct Sophos Firewall.
Local IDs are only used to identify the tunnel's firewall end. So, you can enter any DNS, IP address, or email address.
Select from the following options:
We recommend configuring the remote ID to identify the remote clients. It can't be the same as the local ID.
Remote IDs are only used to identify the tunnel's remote end. So, you can enter any DNS, IP address, or email address.
Select from the following options:
|Allowed users and groups
Add preconfigured users and groups who can connect through remote access IPsec tunnels.
Guest users don't have access to remote access IPsec and SSL VPNs. So, you can't add guest users and guest groups.
|Enter a name for the connection.
|Assign IP from
|Enter a private IP address to lease to the clients. The range must belong to at least a
/24 subnet and must not be in use elsewhere.
|Allow leasing IP address from RADIUS server for L2TP, PPTP, and IPsec remote access
|Select this to use the IP addresses from the RADIUS server if you're using RADIUS authentication. If the RADIUS server doesn't provide the addresses, Sophos Firewall assigns the static address configured for the user or leases an address from the specified range.
DNS server 1
DNS server 2
|Primary and secondary DNS servers to use for the connection.
|Disconnect when tunnel is idle
|Disconnects idle clients from the session after the specified time.
|Idle session time interval
|Time, in seconds, after which the firewall disconnects idle clients.
When users try to reconnect after the firewall disconnects idle clients, the Sophos Connect client reinitiates the session in the background. If users still can't connect, they must click Disconnect, then click Connect on the client to reinitiate the session.
Sophos Firewall only adds the advanced settings to the
.scx file used with Sophos Connect clients. The
.tgb file won't have these settings. The
.tgb file is compatible with third-party clients.
|Use as default gateway
Turn it on to send all traffic, including external internet requests, to the interface you specify for IPsec remote access. To allow the Sophos Connect client users to send their internet requests through Sophos Firewall, you must configure a firewall rule with the source zone set to VPN and the destination zone set to WAN.
Turn this option off to allow access only to permitted resources within the network. The client then connects to the internet for traffic outside the network.
This setting applies to all the Allowed users and groups you specify in the General settings. If you want to turn on this option for some users and turn it off for other users, use SSL VPN (remote access).
|Permitted network resources (IPv4)
|Select the resources this policy permits access to.
|Send Security Heartbeat through tunnel
|If the Sophos Endpoint Protection client is installed on users' endpoint devices, it sends a heartbeat to Sophos Firewall through the tunnel.
|Allow users to save username and password
It allows users to save their credentials on their device. User credentials are stored securely using keychain services.
We recommend turning this option on if you select Connect tunnel automatically.
|Prompt users for 2FA token
Shows an independent input field on the Sophos Connect client for users to enter the OTP. If it's turned off, users must enter the OTP in the password field in the following format:
Currently, the firewall sends the details in
This field requires you to configure MFA for remote access IPsec on Authentication > Mutli-factor authentication or with third-party OTP tokens.
The SCCLI, a command-line tool to manage connections in Sophos Connect Client, doesn't work if you turn this option on.
|Run AD logon script after connecting
|Select to run the script that applies automatically to Active Directory users when they sign in. For example, you can run scripts that map network drives and set default resources the user can access.
|Connect tunnel automatically
|Select to automatically turn on the connection when users sign in to their endpoint devices.
|Hostname or DNS suffix to monitor
|Enter a hostname or DNS suffix within the network. It helps you monitor automatic connections, showing whether the user's endpoint device is connected to the host through the tunnel.
Specify a hostname or suffix that can only resolve through an internal DNS server. You need to allow ICMP probes for the host.
|Assign client DNS suffix
|Enter the DNS suffix (example:
test.local) to add to the remote endpoint's network adapter. The suffix is appended to hostnames, forming an FQDN, to resolve the endpoint's DNS queries.
Full tunnel: If you've turned on Use as default gateway under the advanced settings, Sophos Firewall establishes a single Encapsulating Security Payload (ESP) Security Association (SA). If there's no data traffic within the idle time, it deletes the SA and the tunnel.
Split tunnel: If you've specified Permitted network resources under the advanced settings, Sophos Firewall creates as many ESP SAs as the number of subnets. For example, if you've selected four subnets, the firewall establishes four tunnels.
It deletes only the child SA through which no data traffic flows within the idle time. The other SAs remain live.
Downloading and updating the Sophos Connect client
- To download the Sophos Connect client, click Download client.
- To update to the latest version of the Sophos Connect client, go to Backup & Firmware > Pattern updates.
Downloading and resetting the configuration
- To download the configuration files (
.tgb), scroll to the bottom, and click Export connection.
- To revert to the factory configuration for IPsec remote access, scroll to the bottom, and click Reset.