Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CLI-system-vpn

vpn

You can set various parameters for VPN connections, including failover settings, authentication settings, and MTU.

Note

Some of these are advanced settings. Use them based on your network requirement or based on advice from Sophos Support.

Command

set vpn

Syntax

set vpn
conn-remove-on-failover [all | non-tcp] [conn-remove-tunnel-up] [enable | disable] [l2tp | pptp] [authentication] [ANY | CHAP | MS_CHAPv2 | PAP] [mtu] <576-1460>
ipsec-performance [ipsec-max-workqueue-items <1024-10240>][anti-replay window-size {0 | 32 | 64 | 128 | 256 | 512 | 1024 | 2048 | 4096}][cookie_threshold <number>][use-resolved-ip-address {disable | enable}]

Options

conn-remove-on-failover [all | non-tcp] [conn-remove-tunnel-up] [enable | disable] [l2tp | pptp] [authentication] [ANY | CHAP | MS_CHAPv2 | PAP] [mtu] <576-1460>

Authentication parameters can be set for L2TP and PPTP VPNs, in addition to global failover and failback parameters for all traffic or non TCP traffic. MTU can be set for L2TP. The available values are 576 to 1460. Default: 1410.

ipsec-performance [ipsec-max-workqueue-items <1024-10240>][anti-replay window-size {0 | 32 | 64 | 128 | 256 | 512 | 1024 | 2048 | 4096}][cookie_threshold <number>][use-resolved-ip-address {disable | enable}]

You can set the IPsec performance as follows:

  • ipsec-max-workqueue-items: You can set the size of the work queue to any value from 1024 to 10240.
  • anti-replay window-size: The firewall keeps track of which packets it has seen during decryption, according to the limit set, to prevent replay attacks. Default: 1024.
  • cookie_threshold: Cookie validation is always on. The feature's only available for IKEv2. When the number of simulatenous half-SAs exceeds the cookie threshold, the responder sends a cookie request to initiators to protect from DoS attacks. Default: 30
  • use-resolved-ip-address: Only use this setting if you have many site-to-site IPsec tunnels and slow DNS resolutions, which can cause a charon thread lockup issue. When an FQDN is configured as the remote gateway in a site-to-site IPsec VPN, you can turn this setting on to use the resolved IP address instead of the FQDN to establish the tunnel. The remote gateway's FQDN must already be resolved for this setting to work. Default: Off.