Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Add an IPsec connection

You can configure host-to-host, site-to-site, and route-based IPsec connections.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.
  3. Specify the general settings:

    Name Setting
    IP version

    The tunnel only forwards traffic for the specified IP version.

    For tunnel interfaces in Dual mode, you can't do the following:

    • Create a firewall rule automatically.
    • Specify traffic selectors for the local and remote subnets.
    Connection type

    Site-to-site: Establishes a secure connection between the local and remote subnets over the internet. You can use this connection to connect a branch office to corporate headquarters.

    Host-to-host: Establishes a secure connection between two hosts, for example between two computers.

    Tunnel interface: Establishes a route-based VPN connection and creates a tunnel interface between two firewalls. An XFRM interface is automatically created with the interface name xfrm, followed by a number. You must assign an IP address to the interface on Network > Interfaces. See Route-based VPN.

    Gateway type

    Action to take when the VPN service or the firewall restarts:

    Disable: Connection remains inactive until a user activates it.

    Respond only: Keeps the connection ready to respond to any incoming request.

    Initiate the connection: Establishes the connection every time the VPN service or the firewall restarts.

    We recommend setting the gateway at your central location (example: head office) to Respond only and the gateway at your remote locations (example: branch offices) to Initiate the connection.

    Activate on save Activates the connection.
    Create firewall rule

    Automatically creates a firewall rule for this connection.

    Review the rule position on the firewall rule list. Automatically created firewall rules, such as those for email MTA, IPsec connections, and hotspots, are placed at the top of the firewall rule list and are evaluated first. The policies and actions of the rule at the top will apply, which may lead to unexpected outcomes, such as failure in mail delivery or tunnels not being established, when matching criteria for the new and existing rules overlap.

  4. Specify the encryption settings.

    Name Setting
    Profile IPsec profile to use for the traffic.
    Authentication type
    • Preshared key: Authenticates endpoints using the secret known to both endpoints. Store this key. You must enter it on the remote firewall.

      The last configured connection using a preshared key (PSK) replaces the PSK of all connections between its listening interface and remote gateway.

      To prevent this, we recommend that you select an IKEv2 profile and configure local and remote IDs. IKEv2 enables you to maintain a different PSK for each local-remote ID combination.

    • Digital certificate: Authenticates endpoints by exchanging certificates (locally-signed or issued by a certificate authority).
    • RSA key: Authenticates endpoints using RSA keys.
    Local certificate Certificate used for authentication by the local firewall.
    Remote certificate Certificate used for authentication by the remote firewall.
    Remote CA certificate

    The local firewall authenticates the remote certificate based on the remote CA certificate.

    Using a public CA certificate is a security risk.

    Warning

    Don't use a public CA as a remote CA certificate for encryption. Attackers can gain unauthorized access to your connections using a valid certificate from the CA.

  5. Specify the local gateway settings.

    Name Setting
    Listening interface

    A WAN interface on the local firewall.

    You can't use a bridge interface for the listening interface.

    Local ID type

    For preshared and RSA keys, select an ID type, and type a Local ID value. You can use this for additional validation of tunnels or to identify the firewall during NAT traversal.

    NAT traversal is always on. The local and remote IDs enable the firewall to identify a remote firewall that's behind a router and has a private IP address.

    Local subnet

    Local hosts or subnets to which you want to provide VPN access.

    For tunnel interfaces, you can add the traffic selectors only if you've set the IP version to IPv4 or IPv6. Additionally, you must either select Any or specific traffic selectors for both local and remote subnets. You can't select Any for one and a specific traffic selector for the other.

  6. Specify the remote gateway settings.

    Name Setting
    Gateway address

    IP address or DNS hostname of the remote gateway.

    • You can't use the wildcard address (*) if you've set Gateway type to Initiate the connection. You can use a DNS hostname when the remote gateway has a dynamic IP address.
    • If you've specified a PSK and a wildcard address, make sure you select an IKEv2 profile and specify the local and remote IDs.

      If you don't, the PSK replaces the PSK in all existing configurations with the same local-remote gateway combination. This impacts remote access VPNs in particular because their remote gateway is considered a wildcard address.

    Remote ID type

    For preshared and RSA keys, select an ID type, and type a Remote ID value. Use this for additional validation of tunnels.

    You can enter any unique FQDN or hostname, IP address, or email address. For DER ASN1 DN [X.509], paste the distinguished name of the remote firewall's certificate.

    Remote subnet

    Remote hosts or subnets to which you want to provide VPN access.

    For tunnel interfaces, you can add the traffic selectors only if you've set the IP version to IPv4 or IPv6. Additionally, you must either select Any or specific traffic selectors for both local and remote subnets. You can't select Any for one and a specific traffic selector for the other.

  7. Select Network Address Translation (NAT) to translate the IP addresses if the local and remote subnets overlap.

    • Translated subnet: Shows the local subnets you specify in this policy. Sophos Firewall translates this to the actual subnet.
    • Original subnet: Select the actual subnet. It's the overlapping subnet at your local and remote sites.

    Note

    You can only use this option with policy-based (host-to-host and site-to-site) VPNs and route-based VPNs that use traffic selectors.

    You must configure NAT rules to translate IP addresses for route-based VPNs (tunnel interfaces) with local and remote subnets set to Any or no traffic selectors.

  8. Specify the advanced settings:

    Name Setting
    User authentication mode

    Authenticates VPN clients based on XAuth (Extended authentication) in client-server mode. Set the firewall in the central location in server mode.

    XAuth uses your current authentication mechanism, such as AD, RADIUS, or LDAP, to authenticate users after the Phase 1 exchange. Typically, organizations use this for remote access IPsec connections.

    Select an option from the following:

    • None: Doesn't enforce user authentication.
    • As client: The local firewall acts as an XAuth client. Enter the username and password for validation with the remote firewall.

      On the remote firewall, set the user authentication method to As server.

    • As server: The firewall acts as an XAuth server. Under Allowed users and groups, select the users you want to allow. For the remote firewall, set the user authentication method to As client.

    You must also download the configuration file and share it with users. To download the file, click Download Download button. for the connection from the list of configured connections.

    To configure the authentication server for IPsec VPNs, go to Authentication > Services > VPN authentication methods and select the servers.

    Disconnect when idle Disconnects idle clients from the session after the specified time.
    Idle session time interval Time, in seconds, after which the firewall disconnects idle clients.
  9. Click Save.

More resources