Configure IPsec remote access VPN with Sophos Connect client

You can configure IPsec remote access connections. Users can establish the connection using the Sophos Connect client.

Videos

Configure remote access IPsec and SSL VPN

Configure Microsoft Entra ID SSO for Sophos Connect

Introduction

To configure and establish IPsec remote access connections over the Sophos Connect client, do as follows:

Generate a locally-signed certificate.
(Optional) Set up Microsoft Entra ID single sign-on (SSO).
Check the authentication methods.
Configure the IPsec remote access connection.
Send the configuration file to users.
(Optional) Assign a static IP address to a user.
Add a firewall rule.
Allow access to services.
Send the Sophos Connect client to users. Alternatively, users can download it from the VPN portal.

Users must do as follows:

Install the Sophos Connect client on their endpoint devices.
Import the configuration file into the client and establish the connection.

Note

IPsec remote access VPN doesn't support connections from the LAN zone.

Configure a locally-signed certificate

Go to Certificates > Certificates and click Add.
Select Generate locally-signed certificate.

Alternatively, you can select Upload certificate if you have one.
Specify the Certificate details for the locally-signed certificate.

Here's an example:
Specify the Subject Name attributes.

Here's an example:
Under Subject Alternative Names, enter a DNS name or IP address and click the add (+) button.

Here's an example:

Set up Microsoft Entra ID SSO

You can set up Microsoft Entra ID SSO authentication for remote access IPsec VPN. See Microsoft Entra ID (Azure AD) server.

To set up Microsoft Entra ID SSO authentication, do as follows:

Configure Microsoft Entra ID on Azure Portal. See Configure Microsoft Entra ID (Azure AD) on Azure Portal.
Add a Microsoft Entra ID server in the firewall. See Add a Microsoft Entra ID (Azure AD) server.
(Optional) Import groups from Microsoft Entra ID. See Import groups.
Allow the required URLs. See Allow Microsoft Azure URLs.

Check authentication services

Check that the authentication methods you want to use for the VPN portal and IPsec VPN are configured in Authentication > Services.

In this example, you set the VPN portal and IPsec VPN authentication methods to local authentication and an authentication server such as Microsoft Entra ID.

Go to Authentication > Services.
Under VPN portal authentication methods, check that the Selected authentication server is set to Local and the authentication server you've configured under Authentication > Servers.
Under VPN (IPsec/dial-in/L2TP/PPTP) authentication methods, check that the Selected authentication server is set to Local and the authentication server you've configured under Authentication > Servers.

Note

If you want to use Microsoft Entra ID SSO authentication, make sure you configure the Microsoft Entra ID server as an authentication method in Authentication > Services before downloading the VPN configuration file. Otherwise, the SSO authentication won't work.

Configure remote access IPsec

Specify the settings for IPsec remote access connections.

Go to Remote access VPN > IPsec and click Enable.

Specify the general settings.

Name	Example settings
Interface	`203.0.113.1` Select a WAN port.
IPsec profile	`DefaultRemoteAccess` You can only select IKEv1 profiles with Dead Peer Detection (DPD) turned off or set to Disconnect.
Authentication type	`Digital certificate`
Local certificate	`Appliance certificate`
Remote certificate	`TestCert` Select a locally-signed certificate. Alternatively, select a certificate you've uploaded to Certificates > Certificates.
Local ID	The firewall automatically selects the local ID for digital certificates. Make sure you've configured a certificate ID for the certificate.
Remote ID	Make sure you've configured a certificate ID for the certificate.
Allowed users and groups	`TestGroup`

Specify the client information.

Here's an example:

Name Example settings

Name TestRemoteAccessVPN

Assign IP from
192.168.1.11
192.168.1.254

DNS server 1 192.168.1.5

Specify the advanced settings you want and click Apply.

Name Example settings

Permitted network resources (IPv4)

LAN_10.1.1.0

DMZ_192.168.2.0

Send Security Heartbeat through tunnel Sends the Security Heartbeat of remote clients through the tunnel.

Allow users to save username and password Users can save their credentials.

Here's an example:

Click Export connection at the bottom of the page.

The exported tar.gz file contains a .scx file and a .tgb file.
Send the .scx file to users. Alternatively, download the client and send it to users.

Assign a static IP address to a user

You can assign a static IP address to a user connecting through the Sophos Connect client as follows:

Go to Authentication > Users, and select the user.
On the user's settings page, go down to IPsec remote access, click Enable, and enter an IP address.

Here's an example:

Add a firewall rule

Configure a firewall rule to allow traffic from VPN to LAN and DMZ since you want to allow remote users to access these zones in this example.

Enter a name.
Specify the source and destination zones as follows and click Apply:

Name Example settings

Source zones VPN

Destination zones
LAN
DMZ

Here's an example:

Note

Under advanced settings for IPsec (remote access), if you select Use as default gateway, the Sophos Connect client sends all traffic, including traffic to the internet, from the remote user through the tunnel. To allow this traffic, you must additionally set the Destination zone to WAN in the firewall rule.

Allow access to services

You must allow access for users to services, such as IPsec, VPN portal, DNS, and ping.

Go to Administration > Device access.
Under IPsec, select the WAN checkbox.

This allows remote users' traffic to access remote access and site-to-site IPsec VPN tunnels.
Under VPN portal, select the checkboxes for LAN, WAN, VPN, and Wi-Fi.

This allows users to sign in to the VPN portal from these zones and download the Sophos Connect client. We recommend that you only allow temporary access from the WAN.
(Optional) Under DNS, select the VPN checkbox.

This allows remote users to resolve domain names through VPN if you've specified DNS resolution through the firewall.
(Optional) Under Ping/Ping6, select the VPN checkbox.

This allows remote users to check VPN connectivity with the firewall.
Click Apply.

Configure Sophos Connect client on endpoint devices

Users must install the Sophos Connect client on their endpoint devices and import the .scx file to the client.

You can download the Sophos Connect client installers from the Sophos Firewall web admin console and share these with users.

Alternatively, users can download the Sophos Connect client from the VPN portal as follows:

Sign in to the VPN portal.
Click VPN.
Under Sophos Connect client, click one of the following options:
- Download for Windows
- Download for macOS
Click the downloaded Sophos Connect client.

You can then see it in the system tray of your endpoint device.
Click Import connection, and select the .scx file your administrator has sent.
Sign in using your VPN portal credentials or through SSO.
Enter the verification code if multi-factor authentication (MFA) is required.

IPsec remote access connection will be established between the client and Sophos Firewall.

Note

If you've signed in before with your credentials and with Remember username and password selected, you'll be automatically signed in using your credentials. If you want to see the sign-in options again, such as when you want to use SSO instead of your credentials, click Edit connection Edit connection. and click Clear credentials. The sign-in options will be shown the next time you sign in.