SSL VPN settings
Make the global SSL VPN settings here.
- Go to VPN > Show SSL VPN settings.
-
Select the protocol to be used.
Option Description TCP TCP guarantees (in-order) packet delivery. It is slower but more secure than UDP. It is recommended to be used for emailing, web-surfing, FTP, SSH. UDP With UDP data could be lost. It is faster than TCP and usually used for streaming media, DNS, VoIP, TFTP. -
Select a local SSL certificate to be used by the SSL VPN server to identify itself against the clients.
Note You can use self-signed certificates by using the corresponding option in the Certificates menu.
-
Specify the settings as required.
Option Description Override hostname Set the server IP address for client VPN connection. Usually this should be the external IP address of Sophos XG Firewall. IPv4 lease range IP address range which is used to distribute IP addresses to the SSL clients. Subnet mask Netmask for the IP address range above. Note The netmask must not be greater than 29 bits, because OpenVPN cannot handle address ranges whose netmask is /30, /31, or /32. The netmask is limited to a minimum of 16.IPv6 lease (IPv6/prefix) Set the IPv6 prefic in the first field and the netmask in the last field to lease IPv6 addresses to clients. Note You also have to select IPv4 and IPv6 both as Lease mode.Lease mode IPv4 DNS IPv4 WINS - Lease mode
- Select if you want to only lease IPv4 addresses to SSL clients or both IPv4 and IPv6 addresses.
- IPv4 DNS
- Specify up to two IPv4 DNS servers, primary and secondary, of your organization.
- IPv4 WINS
- Specify up to two IPv4 WINS servers, primary and secondary, of your organization.
- Windows Internet Naming Service (WINS) is Microsoft’s implementation of NetBIOS Name Server (NBNS) on Windows operating systems. Effectively, WINS is to NetBIOS names what DNS is to domain names—a central mapping of hostnames to IP addresses.
- Domain name
- Enter the hostname of your Sophos XG Firewall as a fully qualified domain name (FQDN). The FQDN is an unambiguous domain name that specifies the node’s absolute position in the DNS tree hierarchy, for example sf.example.com. A hostname may contain alphanumeric characters, dots, and hyphens. At the end of the hostname there must be a TLD (top level domain) such as com, org, or de. The hostname will be used in notification messages to identify the Sophos XG Firewall.
- Disconnect dead peer after
- Enter a time limit in seconds after which a dead connection will be terminated by Sophos XG Firewall.
- Default: 180 seconds.
- Disconnect idle peer after
- Enter a time limit in minutes when an idle connection will be terminated.
- Default: 15 minutes.
-
Specify the Cryptographic settings.
- Encryption algorithm
- Specify the algorithm used for encrypting the data sent through the VPN tunnel.
The following algorithms are supported and all in Cipher Block Chaining (CBC)
mode:
- DES-EDE3-CBC
- AES-128-CBC (128 bit)
- AES-192-CBC (192 bit)
- AES-256-CBC (256 bit)
- BF-CBC (Blowfish (128 bit))
- Authentication algorithm
-
- SHA-1 (160 bit) (not recommended)
- SHA2 256 (256 bit)
- SHA2 384 (384 bit)
- SHA2 512 (512 bit)
- MD5 (128 bit) (not recommended)
- Key size
- The key size (key length) is the length of the Diffie-Hellman key exchange. The longer this key is, the more secure the symmetric keys are. The length is specified in bits. You can choose between a key size of 1024 or 2048 bits.
- Key lifetime
- Enter a time period after which the key will expire.
- Default: 28,800 seconds
-
Specify the Compression settings.
- Compress SSL VPN traffic
- If enabled, all data sent through SSL VPN tunnels will be compressed prior to encryption.
-
Specify the Debug settings.
- Enable debug mode
- When enabling debug mode, the SSL VPN log file will contain extended information useful for debugging purposes.
- Click Apply.