SSL VPN settings

Make the global SSL VPN settings here.

The Show SSL VPN settings tab allows you to define parameters requested for remote access such as protocols, server certificates and IP addresses for SSL clients. The SSL VPN client supports most business applications such as native Outlook, native Windows file sharing, and many more.
  1. Go to VPN > Show SSL VPN settings.
  2. Select the protocol to be used.
    TCP TCP guarantees (in-order) packet delivery. It is slower but more secure than UDP. It is recommended to be used for emailing, web-surfing, FTP, SSH.
    UDP With UDP data could be lost. It is faster than TCP and usually used for streaming media, DNS, VoIP, TFTP.
  3. Select a local SSL certificate to be used by the SSL VPN server to identify itself against the clients.
    Note You can use self-signed certificates by using the corresponding option in the Certificates menu.
  4. Specify the settings as required.
    Override hostname Set the server IP address for client VPN connection. Usually this should be the external IP address of Sophos XG Firewall.
    IPv4 lease range IP address range which is used to distribute IP addresses to the SSL clients.
    Subnet mask Netmask for the IP address range above.
    Note The netmask must not be greater than 29 bits, because OpenVPN cannot handle address ranges whose netmask is /30, /31, or /32. The netmask is limited to a minimum of 16.
    IPv6 lease (IPv6/prefix) Set the IPv6 prefic in the first field and the netmask in the last field to lease IPv6 addresses to clients.
    Note You also have to select IPv4 and IPv6 both as Lease mode.
    Lease mode  
    IPv4 DNS  
    IPv4 WINS  
    Lease mode
    Select if you want to only lease IPv4 addresses to SSL clients or both IPv4 and IPv6 addresses.
    IPv4 DNS
    Specify up to two IPv4 DNS servers, primary and secondary, of your organization.
    IPv4 WINS
    Specify up to two IPv4 WINS servers, primary and secondary, of your organization.
    Windows Internet Naming Service (WINS) is Microsoft’s implementation of NetBIOS Name Server (NBNS) on Windows operating systems. Effectively, WINS is to NetBIOS names what DNS is to domain names—a central mapping of hostnames to IP addresses.
    Domain name
    Enter the hostname of your Sophos XG Firewall as a fully qualified domain name (FQDN). The FQDN is an unambiguous domain name that specifies the node’s absolute position in the DNS tree hierarchy, for example A hostname may contain alphanumeric characters, dots, and hyphens. At the end of the hostname there must be a TLD (top level domain) such as com, org, or de. The hostname will be used in notification messages to identify the Sophos XG Firewall.
    Disconnect dead peer after
    Enter a time limit in seconds after which a dead connection will be terminated by Sophos XG Firewall.
    Default: 180 seconds.
    Disconnect idle peer after
    Enter a time limit in minutes when an idle connection will be terminated.
    Default: 15 minutes.
  5. Specify the Cryptographic settings.
    Encryption algorithm
    Specify the algorithm used for encrypting the data sent through the VPN tunnel. The following algorithms are supported and all in Cipher Block Chaining (CBC) mode:
    • DES-EDE3-CBC
    • AES-128-CBC (128 bit)
    • AES-192-CBC (192 bit)
    • AES-256-CBC (256 bit)
    • BF-CBC (Blowfish (128 bit))
    Authentication algorithm
    • SHA-1 (160 bit) (not recommended)
    • SHA2 256 (256 bit)
    • SHA2 384 (384 bit)
    • SHA2 512 (512 bit)
    • MD5 (128 bit) (not recommended)
    Key size
    The key size (key length) is the length of the Diffie-Hellman key exchange. The longer this key is, the more secure the symmetric keys are. The length is specified in bits. You can choose between a key size of 1024 or 2048 bits.
    Key lifetime
    Enter a time period after which the key will expire.
    Default: 28,800 seconds
  6. Specify the Compression settings.
    Compress SSL VPN traffic
    If enabled, all data sent through SSL VPN tunnels will be compressed prior to encryption.
  7. Specify the Debug settings.
    Enable debug mode
    When enabling debug mode, the SSL VPN log file will contain extended information useful for debugging purposes.
  8. Click Apply.