Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/22.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=network-interfaces-xfrm

Configure an XFRM interface

Learn how to assign an IP address to an XFRM interface and configure the settings. XFRM interfaces secure traffic through route-based VPN tunnels and are automatically created when both the local and remote subnets are set to Any in the IPsec connection.

Requirements

You must meet the following requirements:

  • Go to Administration > Device access and make sure you've turned on the WAN zone under IPsec.
  • Select Any under local and remote subnets in the route-based VPN connection. If you've selected specific subnets, XFRM interfaces aren't created.

Specify the interface settings

You can specify the general and advanced settings.

General settings

You can assign an IP address. The firewall automatically assigns the other settings.

  1. Go to Network > Interfaces.
  2. Click the row of the physical interface you specified as the listening interface in the route-based VPN connection.
  3. Click the XFRM interface.
  4. Enter a name.

  5. The firewall assigns the following values by default:

    • Hardware: Name of the record.
    • IPsec connection: Name of the associated route-based IPsec connection.

    • Network zone: VPN

      The XFRM interface always belongs to the VPN zone.

  6. Specify the settings for the IP version you selected in the IPsec connection.

    • IPv4/netmask: Enter an IPv4 address and select the subnet.
    • IPv6/prefix: Enter an IPv6 address and a prefix.

    The firewall only applies the IP version you specify in the associated IPsec connection. It doesn't apply the other IP version even if you specify the settings here.

    It applies both IP versions if you've set IP version to Dual in the IPsec connection.

Advanced settings

You can change the advanced settings or retain the default values.

  1. Click Advanced settings, then click Interface settings.

  2. You can retain the default MTU or enter a different value.

    The firewall assigns an MTU value after subtracting the maximum IPsec overhead from the physical interface MTU.

  3. Select Override MSS and enter a value if your network requires a value other than the default.

  4. Click Save.