Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Configure IPsec remote access VPN with Sophos Connect client

You can configure IPsec remote access connections. Users can establish the connection using the Sophos Connect client.

Introduction

To configure and establish IPsec remote access connections over the Sophos Connect client, do as follows:

  • Optional: Generate a locally-signed certificate.
  • Configure the IPsec remote access connection.
  • Send the configuration file to users.
  • Optional: Assign a static IP address to a user
  • Add a firewall rule.
  • Allow access to services.
  • Send the Sophos Connect client to users. Alternatively, users can download it from the VPN portal.

Users must do as follows:

  • Install the Sophos Connect client on their endpoint devices.
  • Import the configuration file into the client and establish the connection.

Note

IPsec remote access VPN doesn't support connections from the LAN zone.

Configure a locally-signed certificate

  1. Go to Certificates > Certificates and click Add.
  2. Select Generate locally-signed certificate.

    Alternatively, you can select Upload certificate if you have one.

    Select locally-signed certificate.

  3. Specify the Certificate details for the locally-signed certificate.

    Here's an example:

    Certificate details.

  4. Specify the Subject Name attributes.

    Here's an example:

    Subject name attributes.

  5. Under Subject Alternative Names, enter a DNS name or IP address and click the add (+) button.

    Here's an example:

    Subject Alternative Names.

Configure remote access IPsec

Specify the settings for IPsec remote access connections.

  1. Go to Remote access VPN > IPsec and click Enable.
  2. Specify the general settings.

    Name Example settings
    Interface

    203.0.113.1

    Select a WAN port.

    IPsec profile

    DefaultRemoteAccess

    You can only select IKEv1 profiles with Dead Peer Detection (DPD) turned off or set to Disconnect.

    Authentication type Digital certificate
    Local certificate Appliance certificate
    Remote certificate

    TestCert

    Select a locally-signed certificate. Alternatively, select a certificate you've uploaded to Certificates > Certificates.

    Local ID

    The firewall automatically selects the local ID for digital certificates.

    Make sure you've configured a certificate ID for the certificate.

    Remote ID Make sure you've configured a certificate ID for the certificate.
    Allowed users and groups TestGroup
  3. Specify the client information.

    Here's an example:

    Name Example settings
    Name TestRemoteAccessVPN
    Assign IP from

    192.168.1.11

    192.168.1.254

    DNS server 1 192.168.1.5

    Client information settings.

  4. Specify the advanced settings you want and click Apply.

    Name Example settings
    Permitted network resources (IPv4)

    LAN_10.1.1.0

    DMZ_192.168.2.0

    Send Security Heartbeat through tunnel Sends the Security Heartbeat of remote clients through the tunnel.
    Allow users to save username and password Users can save their credentials.

    Here's an example:

    Advanced settings.

  5. Click Export connection at the bottom of the page.

    The exported tar.gz file contains a .scx file and a .tgb file.

    Export the configuration file.

  6. Send the .scx file to users.

  7. Optionally, download the client and send it to users.

Optional: Assign a static IP address to a user

To assign a static IP address to a user connecting through the Sophos Connect client, do as follows:

  1. Go to Authentication > Users, and select the user.
  2. On the user's settings page, go down to IPsec remote access, click Enable, and enter an IP address.

    Here's an example:

    Assign static IP address to a user connecting through the Sophos Connect client.

Add a firewall rule

Configure a firewall rule to allow traffic from VPN to LAN and DMZ since you want to allow remote users to access these zones in this example.

  1. Enter a name.
  2. Specify the source and destination zones as follows and click Apply:

    Name Example settings
    Source zones VPN
    Destination zones

    LAN

    DMZ

    Here's an example:

    Source and destination zones in the firewall rule.

    Note

    Under advanced settings for IPsec (remote access), if you select Use as default gateway, the Sophos Connect client sends all traffic, including traffic to the internet, from the remote user through the tunnel. To allow this traffic, you must additionally set the Destination zone to WAN in the firewall rule.

Allow access to services

You must allow access to services, such as the VPN portal and ping from VPN.

  1. Go to Administration > Device access.
  2. Select the checkbox under VPN portal for the following:

    1. WAN
    2. Wi-Fi

    This allows users to sign in to the VPN portal and download the Sophos Connect client. We recommend that you only allow temporary access from the WAN.

  3. Select the checkboxes for VPN under the following:

    1. VPN portal: Allows remote users to access the VPN portal through VPN.
    2. (Optional) DNS: Allows remote users to resolve domain names through VPN if you've specified DNS resolution through the firewall.
    3. Optional: Ping/Ping6: Allows remote users to check VPN connectivity with the firewall.
  4. Click Apply.

    Access to services through VPN.

Configure Sophos Connect client on endpoint devices

Users must install the Sophos Connect client on their endpoint devices and import the .scx file to the client.

You can download the Sophos Connect client installers from the Sophos Firewall web admin console and share these with users.

Alternatively, users can download the Sophos Connect client from the VPN portal as follows:

  1. Sign in to the VPN portal.
  2. Click VPN.
  3. Under Sophos Connect client, click one of the following options:

    • Download for Windows
    • Download for macOS

    Installers for the Sophos Connect client.

  4. Click the downloaded Sophos Connect client.

    You can then see it in the system tray of your endpoint device.

  5. Click the three dots button in the upper-right corner, click Import connection, and select the .scx file your administrator has sent.

    Import connection.

  6. Sign in using your VPN portal credentials.

    Sign in to the Sophos Connect client.

  7. Enter the verification code if two-factor authentication is required.

IPsec remote access connection will be established between the client and Sophos Firewall.