Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-IPsec-add-connection

Add an IPsec connection

Learn how to configure a site‑to‑site IPsec connection, including policy‑based and route‑based VPNs. You can configure general settings, encryption and authentication methods, gateway and subnets, and optional Network Address Translation (NAT) for different deployment scenarios.

General settings

Use the general settings to specify the IP version, connection type, gateway behavior, and firewall rules for the IPsec connection.

  1. Go to Site-to-site VPN > IPsec and click Add.
  2. Enter a name.

  3. Select the IP version for the tunnel. The tunnel forwards traffic only for the selected version.

    • IPv4
    • IPv6
    • Dual: Available only for tunnel interfaces with any-to-any local and remote subnets. You must create separate firewall rules for IPv4 and IPv6 traffic.

  4. Under Connection type, select the method used to handle traffic through the tunnel.

    • Policy-based: For connections between local and remote office subnets.
    • Host-to-host: For connections between individual local and remote endpoint devices.

    • Route-based (Tunnel interface): For connections between local and remote offices.

      For route-based tunnels with any-to-any subnets, the firewall automatically creates an XFRM interface named xfrm, followed by a number. You must assign an IP address and a gateway to this interface. See Route-based VPN.

  5. Select the Gateway type to decide when to establish the connection.

    • Disable: The connection remains inactive until a user initiates it.

    • Respond only: The firewall waits for incoming connection requests.

      You can use a wildcard address (*) only with this option to allow multiple remote gateways to connect to a head office firewall.

    • Initiate the connection: The firewall initiates the connection whenever the VPN service or firewall restarts.

    Tip

    We recommend setting the gateway type as follows:

    • Head office: Respond only
    • Branch offices: Initiate the connection

  6. Select Activate on save to activate the connection in the local firewall.

  7. Select Create firewall rule to automatically create inbound and outbound firewall rules for the connection.

    Note

    The rules are created at the top of the firewall rule list. Drag and drop the rules to change their position. The firewall evaluates rules from the top and stops when it finds one that matches the traffic.

    Note

    You can't configure automatic firewall rules for route-based IPsec connections that use Any-to-Any subnets.

Encryption settings

Encryption settings define how the IPsec tunnel is authenticated and secured.

  1. Select an IPsec profile.

    Profiles specify the phase 1 and phase 2 IKE parameters to establish the tunnel. See IPsec profiles.

  2. Select an Authentication type to authenticate the remote firewall.

Enter a Preshared Key (PSK) and repeat it. The connection uses the shared secret.

Store the PSK. You must enter it in the remote firewall.

Note

IKEv2 IPsec profiles support unique PSKs for each local-remote ID combination. In contrast, IKEv1 profiles support only a single PSK per local and remote gateway combination. The firewall applies the PSK from the most recently configured connection. This behavior applies to both site-to-site and remote access IPsec configurations.

The firewalls exchange certificates that are locally-signed or issued by a certificate authority to authenticate the tunnel.

Note

The firewall doesn't support ECDSA certificates in IPsec VPN connections. Make sure you select RSA certificates.

Specify the following certificates:

  1. Local certificate: Used by the local firewall.
  2. Remote certificate: Used by the remote firewall.

  3. Remote CA certificate: The local firewall authenticates the remote certificate based on the remote CA certificate.

    Warning

    Don't use a public CA as a remote CA certificate. Attackers can gain unauthorized access to your connections by using a valid certificate issued by the CA.

The IPsec connections in the local and remote firewalls automatically show the public key. Copy and paste it in the peer configuration.

  1. Local RSA key: The firewall automatically generates the key pair and shows the public key here. Copy the key and paste it into the remote firewall.
  2. Remote RSA key: Paste the public key from the remote firewall's IPsec connection.

Note

The firewall supports PKCS1 and DNS formats. Use the same format in both firewalls.

Gateway settings

Gateway settings define how the local and remote VPN endpoints identify each other and which networks can exchange traffic. They also include Network Address Translation (NAT) for overlapping networks.

Local and remote endpoints

Endpoints specify the interfaces and addresses used to establish the VPN tunnel.

  1. Under Listening interface, select a WAN interface of the local firewall.

    Restriction

    You can't use a bridge interface as the listening interface.

  2. Under Gateway address, enter the IP address or DNS hostname of the remote gateway.

    The following Gateway type settings decide whether you can use the wildcard address (*).

    • Initiate connection: Typically used in branch offices. This option doesn't support the wildcard address.
    • Respond only: Typically configured in head offices. This option supports the wildcard address.

    Tip

    NAT Traversal (NAT-T) is always on in the firewall. NAT-T establishes connections between firewalls that use private IP addresses and are deployed behind routers. To identify peers behind routers, configure the local and remote IDs below.

Local and remote IDs

Local and remote IDs let each tunnel endpoint be identified independently of the gateway address.

When to use

  • To identify remote firewalls behind devices, such as routers.
  • To add an extra layer of authentication when you use PSKs or RSA keys.
  • To make sure the head office responds only to intended remote offices when you use a wildcard address.

  1. Select a Local ID type.

    • DNS: You can enter an FQDN or hostname.
    • IP address
    • Email
    • DER.ASN1 DN (X.509): Only digital certificates use this option.

    Tip

    The DNS, IP address, or email address doesn't need to resolve. They only need to match in both firewalls and use a valid format.

  2. Enter a Local ID.

  3. Select a Remote ID type.

  4. Enter the Remote ID value used in the remote firewall's connection.

    For DER ASN1 DN [X.509], paste the distinguished name of the remote firewall's certificate.

Local and remote subnets

Local and remote subnets are hosts or networks that can exchange traffic through the tunnel.

Tip

  • Policy-based VPN: Configure traffic selectors for one or both subnets. Only one subnet can be set to Any. Typically, branch office subnets are set to Any.
  • Route-based VPN: For IPv4 or IPv6, both local and remote subnets can be set to Any. Alternatively, select specific hosts or subnets. For Dual version, the firewall treats both local and remote subnets as Any.
  1. Under Local subnet, select the local hosts or subnets.
  2. Under Remote subnet, select the remote hosts or subnets.

NAT settings

NAT settings translate IP addresses for policy-based (site-to-site and host-to-host) VPNs and route-based VPNs that use traffic selectors.

  1. Select Network Address Translation (NAT) to translate the IP addresses if the local and remote subnets overlap.

  2. Translated subnet shows the local subnets specified in this connection.

    Sophos Firewall translates these subnets to the actual subnets that overlap at the local and remote locations.

  3. Under Original subnet, select the overlapping subnet for translation.

    For subnets that don't need translation, keep the default Not translated option.

Note

NAT rules apply to route-based VPNs with local and remote subnets set to Any. For more information about NAT for VPNs, see Routing and NAT for IPsec tunnels.

Advanced settings

The User authentication mode setting applies only to IKEv1 profiles, such as Default profile, DefaultL2TP, and DefaultHeadOffice.

The firewall uses Extended authentication (XAuth) to authenticate users in client-server mode after the IKEv1 Phase 1 exchange. XAuth uses the firewall's current authentication method, such as AD, RADIUS, or LDAP.

  1. Select the client-server option as follows:

    • None: Doesn't enforce user authentication.

    • As client: The local firewall acts as an XAuth client.

      Enter the username and password for authentication with the remote firewall.

      Set the remote firewall to the As server option.

    • As server: The firewall acts as an XAuth server. This option is recommended for head offices.

      Under Allowed users and groups, select the users you want to allow.

      Set the remote firewall to the As client option.

  2. Click Save.

The idle connection settings have been deprecated.