On the IPsec > Connections tab you can create and edit IPsec connections.
To create an IPsec connection, proceed as follows:
On the Connections tab, click New IPsec Remote Access Rule.
The Add IPsec Remote Access Rule dialog box opens.
Make the following settings:
Name: Enter a descriptive name for this connection.
Interface: Select the name of the interface which is used as the local endpoint of the IPsec tunnel.
Local networks: Select or add the local networks that should be reachable through the VPN tunnel. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Virtual IP pool: The IP address pool where clients get an IP address assigned from in case they do not have a static IP address. The default pool is VPN Pool (IPsec) which comprises the private IP space 10.242.4.0/24. You can, however, select or create a different IP address pool. Note that the netmask is limited to a minimum of 16. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
Policy: Select the IPsec policy for this IPsec connection. IPsec policies can be defined on the Remote Access > IPsec > Policies tab.
Preshared key: Authentication with Preshared Keys (PSK) uses secret passwords as keys. These passwords must be distributed to the endpoints before establishing the connection. When a new VPN tunnel is established, each side checks that the other knows the secret password. The security of PSKs depends on the quality of the passwords used: common words and phrases are subject to dictionary attacks. Permanent or long-term IPsec connections should use certificates instead.
X.509 certificate: The X.509 Certificate authentication scheme uses public keys and private keys. An X.509 certificate contains the public key together with information identifying the owner of the key. Such certificates are signed and issued by a trusted Certificate Authority (CA). Once selected, specify the users that should be allowed to use this IPsec connection. Unless you select the checkbox Automatic firewall rules, you need to specify appropriate firewall rules manually in the Network Protection menu.
Note – The User Portal can only be accessed by users who are selected in the Allowed users box and for whom a user definition does exist on Sophos UTM on AWS. Authorized users who have successfully logged in to the User Portal find the Sophos IPsec Client (SIC), its configuration file, the PKCS#12 file as well as a link to installation instructions, which are available at the Sophos Knowledge Base.
- CA DN match: This authentication type uses a match of the Distinguished Name (DN) of CA certificates to verify the keys of the VPN endpoints. Once selected, select an Authority and choose a DN mask that matches the DNs of remote access clients. Now select or add a Peer Subnet Range. Clients are only allowed to connect if the DN mask matches the one in their certificate.
Enable XAUTH (optional): Extended authentication should be enabled to require authentication of users against configured backends.
Automatic firewall rules (optional): This option is only available with the authentication type X.509 Certificate. By selecting this option you can automatically add firewall rules that allow traffic for this connection. The rules are added as soon as the connection is enabled, and they are removed when the connection is disabled.
Comment (optional): Add a description or other information.
The new remote access rule appears on the Connections list.