Connections
On the IPsec > Connections tab you can create and edit IPsec connections.
To create an IPsec connection, proceed as follows:
-
On the Connections tab, click New IPsec Remote Access Rule.
The Add IPsec Remote Access Rule dialog box opens.
-
Specify the following settings:
Name: Enter a descriptive name for this connection.
Interface: Select the name of the interface which is used as the local endpoint of the IPsec tunnel.
Local networks: Select or add the local networks that should be reachable through the VPN tunnel. For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.
Virtual IP pool: The IP address pool where clients get an IP address assigned from in case they do not have a static IP address. The default pool is VPN Pool (IPsec) which comprises the private IP space 10.242.4.0/24. You can, however, select or create a different IP address pool. Note that the netmask is limited to a minimum of 16. For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.
Policy: Select the IPsec policy for this IPsec connection. IPsec policies can be defined on the Remote Access > IPsec > Policies tab.
Authentication type: Select the authentication type for this remote gateway definition. The following types are available:
-
Preshared key: Authentication with Preshared Keys (PSK) uses secret passwords as keys. These passwords must be distributed to the endpoints before establishing the connection. When a new VPN tunnel is established, each side checks that the other knows the secret password. The security of PSKs depends on the quality of the passwords used: common words and phrases are subject to dictionary attacks. Permanent or long-term IPsec connections should use certificates instead.
-
X.509 certificate: The X.509 certificate authentication scheme uses public keys and private keys. An X.509 certificate contains the public key along with information identifying the owner of the key. Such certificates are signed and issued by a trusted Certificate Authority (CA). Once selected, specify the users that should be allowed to use this IPsec connection. Unless you select the checkbox Automatic firewall rules, you need to specify appropriate firewall rules manually in the Network Protection menu.
Note – Only users who you select in the Allowed users box and for whom a user definition exists on Sophos UTM on AWS can access the User Portal. Authorized users find the Sophos Connect as well as a link to installation instructions in the User Portal.
- CA DN match: This authentication type uses a match of the Distinguished Name (DN) of CA certificates to verify the keys of the VPN endpoints. Once selected, select an Authority and choose a DN mask that matches the DNs of remote access clients. Now select or add a Peer Subnet Range. Clients are only allowed to connect if the DN mask matches the one in their certificate.
Enable XAUTH (optional): Extended authentication should be enabled to require authentication of users against configured backends.
Automatic firewall rules (optional): This option is only available with the authentication type X.509 Certificate. By selecting this option you can automatically add firewall rules that allow traffic for this connection. The rules are added as soon as the connection is enabled, and they are removed when the connection is disabled.
Comment (optional): Add a description or other information.
-
-
Click Save.
The new remote access rule appears on the Connections list.
To either edit or delete a remote access rule, click the corresponding buttons.