Remote Gateways

On the Site-to-site VPN > IPsec > Remote Gateways tab you can define the remote gateways for your site-to-site VPN tunnels. These remote network definitions will become available when creating IPsec connections on the IPsec > Connections tab.

To add a remote gateway, proceed as follows:

  1. On the Remote Gateways tab, click New Remote Gateway.

    The Add Remote Gateway dialog box opens.

  2. Make the following settings:

    Name: Enter a descriptive name for this remote gateway.

    Gateway type: Select the type of the gateway. The following types are available:

    Authentication type: Select the authentication type for this remote gateway definition. The following types are available:

    VPN ID type: Depending on the authentication type you must select a VPN ID type and VPN identifier. The VPN identifier entered here must match the values configured on the remote site. Suppose you are using two Sophos UTM appliances for establishing a site-to-site VPN tunnel. If you select RSA Key as authentication type on the local unit, the VPN ID type and the VPN identifier must match what is configured on the Site-to-site VPN > IPsec > Local RSA Key tab on the remote unit. You can select among the following VPN ID types:

    Remote networks: Select the remote networks that should be reachable via the remote gateway.

    Comment (optional): Add a description or other information.

  3. Make advanced settings if necessary.

    The following advanced settings should only be made when you know what their impact is:

    Support path MTU discovery: PMTU (Path Maximum Transmission Unit) refers to the size of data packets transmitted. It is usually preferable that IP data packets be of the largest size that does not require fragmentation anywhere along the path from the source to the destination. If any of the data packets are too large to be forwarded without fragmentation by some router along the path, that router will discard them and return ICMP Destination Unreachable messages with a code meaning "fragmentation needed and DF set". Upon receipt of such a message, the source host reduces its assumed PMTU for the path.
    If you enable this option, Sophos UTM enables PMTU if it is enabled on the server side.

    Support congestion signaling (ECN): ECN (Explicit Congestion Notification) is an extension to the Internet Protocol and allows end-to-end notifications of network congestion without dropping packets. Select this option if you want to copy ECN information from the original IP packet header into the IPsec packet header. Note that the remote endpoint must support it as well as the underlying network and involved routers.

    Enable XAUTH client mode: XAUTH is an extension of IPsec IKEClosed to authenticate users via username and password at a VPN gateway. To use XAUTH for authentication with this remote gateway, select the option and provide username and password (twice) as required by the remote gateway.

  4. Click Save.

    The gateway definition appears on the Remote Gateways list.

To either edit or delete a remote gateway definition, click the corresponding buttons.

© 2019 Sophos Limited Sophos UTM 9.600