On the Site-to-site VPN > IPsec > Remote Gateways tab you can define the remote gateways for your site-to-site VPN tunnels. These remote network definitions will become available when creating IPsec connections on the IPsec > Connections tab.
To add a remote gateway, proceed as follows:
On the Remote Gateways tab, click New Remote Gateway.
The Add Remote Gateway dialog box opens.
Make the following settings:
Name: Enter a descriptive name for this remote gateway.
Gateway type: Select the type of the gateway. The following types are available:
- Initiate connection: Select if the remote endpoint has a static IP address so that a connection to the remote gateway can be initiated by the gateway. If selected, specify the remote gateway in the Gateway box. Note that you can also select this option if the remote gateway is resolved through DynDNS.
- Respond only: Select if the IP address of the remote endpoint is unknown or cannot be resolved through DynDNS. The gateway is not able to initiate a connection to the remote gateway but waits for incoming connections to which it only needs to respond.
- Preshared key: Authentication with Preshared Keys (PSK) uses secret passwords as keys. These passwords must be distributed to the endpoints before establishing the connection. When a new VPN tunnel is established, each side checks that the other knows the secret password. The security of PSKs depends on the quality of the passwords used: common words and phrases are subject to dictionary attacks. Permanent or long-term IPsec connections should use certificates instead.
- RSA key: Authentication using RSA keys is much more sophisticated. In this scheme, each side of the connection generates a key pair consisting of a public key and a private key. The private key is necessary for the encryption and authentication during the key exchange. Both endpoints of an IPsecVPN connection using this authentication method need their own key pair. Copy the public RSA key of the remote unit (Site-to-site VPN > IPsec > Local RSA Key) into the Public Key box of the local unit and vice versa. In addition, enter the VPN ID types and VPN identifiers that correspond to the respective RSA keys.
- Local X.509 certificate: Similarly, the X.509 certificate authentication scheme uses public keys and private keys. An X.509 certificate contains the public key together with information identifying the owner of the key. Such certificates are signed and issued by a trusted Certificate Authority (CA). During the key exchange process, the certificates are exchanged and authenticated using a locally stored CA certificate. Select this authentication type if the X.509 certificate of the remote gateway is locally stored on the unit.
- Remote X.509 certificate: Select this authentication type if the X.509 certificate of the remote gateway is not locally stored on the unit. You must then select the VPN ID type and VPN identifier of the certificate being used on the remote unit, that is, the certificate which is selected in the Local X.509 Certificate area of the Site-to-site VPN > IPsec > Advanced tab.
VPN ID type: Depending on the authentication type you must select a VPN ID type and VPN identifier. The VPN identifier entered here must match the values configured on the remote site. Suppose you are using two Sophos UTM on AWS appliances for establishing a site-to-site VPN tunnel. If you select RSA Key as authentication type on the local unit, the VPN ID type and the VPN identifier must match what is configured on the Site-to-site VPN > IPsec > Local RSA Key tab on the remote unit. You can select among the following VPN ID types:
- IP address
- Email address
- Distinguished name: Only available with Remote X.509 Certificate authentication.
- Any: Default with Respond Only gateway type.
Remote networks: Select the remote networks that should be reachable via the remote gateway.
Comment (optional): Add a description or other information.
Make advanced settings if necessary.
The following advanced settings should only be made when you know what their impact is:
Support path MTU discovery: PMTU (Path Maximum Transmission Unit) refers to the size of data packets transmitted. It is usually preferable that IP data packets be of the largest size that does not require fragmentation anywhere along the path from the source to the destination. If any of the data packets are too large to be forwarded without fragmentation by some router along the path, that router will discard them and return ICMP Destination Unreachable messages with a code meaning "fragmentation needed and DF set". Upon receipt of such a message, the source host reduces its assumed PMTU for the path.
If you enable this option, Sophos UTM on AWS enables PMTU if it is enabled on the server side.
Support congestion signaling (ECN): ECN (Explicit Congestion Notification) is an extension to the Internet Protocol and allows end-to-end notifications of network congestion without dropping packets. Select this option if you want to copy ECN information from the original IP packet header into the IPsec packet header. Note that the remote endpoint must support it as well as the underlying network and involved routers.
Enable XAUTH client mode: XAUTH is an extension of IPsec IKE to authenticate users via username and password at a VPN gateway. To use XAUTH for authentication with this remote gateway, select the option and provide username and password (twice) as required by the remote gateway.
The gateway definition appears on the Remote Gateways list.