On the SSL > Advanced tab you can configure various advanced server options ranging from the cryptographic settings, through compression settings, to debug settings.
Note – This tab is identical for Site-to-site VPN > SSL and Remote Access > SSL. Changes applied here always affect both SSL configurations.
These settings control the encryption parameters for all SSL VPN remote access clients:
Encryption algorithm: The encryption algorithm specifies the algorithm used for encrypting the data sent through the VPN tunnel. The following algorithms are supported, which are all in Cipher Block Chaining (CBC) mode:
- AES-128-CBC (128 bit)
- AES-192-CBC (192 bit)
- AES-256-CBC (256 bit)
- BF-CBC (Blowfish (128 bit))
Authentication algorithm: The authentication algorithm specifies the algorithm used for checking the integrity of the data sent through the VPN tunnel. Supported algorithms are:
- MD5 (128 bit)
- SHA-1 (160 bit)
- SHA2 256 (256 bit)
- SHA2 384 (384 bit)
- SHA2 512 (512 bit)
- Key size: The key size (key length) is the length of the Diffie-Hellman key exchange. The longer this key is, the more secure the symmetric keys are. The length is specified in bits. You can choose between a key size of 1024, 2048, 3072 or 4096 bits.
- Server certificate: Select a local SSL certificate to be used by the SSL VPN server to identify itself against the clients.
Note –Sophos UTM on AWS does not support wildcard certificates and certificates signed by an intermedia CA in the SSL VPN.
- Key lifetime: Enter a time period after which the key will expire. The default is 28,800 seconds.
Compress SSL VPN traffic: When enabled, all data sent through SSL VPN tunnels will be compressed prior to encryption.
Enable debug mode: When enabling debug mode, the SSL VPN log file will contain extended information useful for debugging purposes.