Connections
To create an SSL Secure Sockets LayerVPN Virtual Private Network site-to-site tunnel, it is crucial to create the server configuration first. The configuration of the client has always to be the second step.
To create a server configuration, proceed as follows:
-
On the Connections tab, click New SSL Connection.
The Add SSL Connection dialog box opens.
-
Specify the following settings:
Connection type: Select Server from the drop-down list.
Connection name: Enter a descriptive name for the connection.
Use static virtual IP address (optional): Only select this option if the IP address pool is not compatible with the client's network environment: By default clients are assigned an IP address from the Virtual IP Pool (configurable on Settings tab). Rarely, it may happen that such an IP address is already in use on the client's host. In that case enter a suitable IP address in the Static Peer IP field which will then be assigned to the client during tunnel setup.
Local networks: Select or add one or more local networks that are allowed to be accessed remotely. For how to add a network definition, see Definitions & Users > Network Definitions > Network Definitions.
Remote networks: Select or add one or more remote networks that are allowed to connect to the local network(s).
Note – You can change the Local networks and Remote networks settings later without having to reconfigure the client.
Automatic firewall rules (optional): When enabled, Sophos UTM will automatically allow access to the selected local networks for all accessing SSL VPN clients.
Comment (optional): Add a description or other information.
-
Click Save.
The new SSL server connection appears on the Connections list.
-
Download the configuration file.
Use the Download button, which is located in the newly created SSL server connection row, to download the client configuration file for this connection.
Encrypt configuration file (optional): It is advisable to encrypt the configuration file for security reasons. Enter a password twice.
Click Download peer config to save the file.
This file is needed by the client-side administrator in order to be able to set up the client endpoint of the tunnel.
The next step is the client configuration which has to take place on client side and not on server side. Ensure that the downloaded client configuration file is at hand.
To create a client configuration, proceed as follows:
-
On the Connections tab, click New SSL Connection.
The Add SSL Connection dialog box opens.
-
Specify the following settings:
Connection type: Select Client from the drop-down list.
Connection name: Enter a descriptive name for the connection.
Configuration file: Click the Folder icon, browse for the client configuration file and click Start Upload.
Password (optional): If the file has been encrypted, enter the password.
Use HTTP proxy server (optional): Select the checkbox if the client is located behind a proxy and enter the settings for the proxy.
Proxy requires authentication (optional): Select the checkbox if the client needs to authenticate against the proxy and enter username and password.
Override peer hostname (optional): Select the checkbox and enter a hostname here if the server system's regular hostname (or DynDNS hostname) cannot be resolved from the client host.
Automatic firewall rules (optional): When enabled, Sophos UTM will automatically allow traffic between hosts on the tunneled local and remote networks.
Note – This option only works for site-to-site VPN tunnels between Sophos UTM devices. If you're connecting to VPN services on other devices, including Sophos Firewall and third-party VPN devices, you must manually create firewall rules on your UTM to allow traffic between the two devices. See "Manually create firewall rules on Sophos UTM".
Comment (optional): Add a description or other information.
-
Click Save.
The new SSL VPN client connection appears on the Connections list.
To either edit or delete a client connection, click the corresponding buttons.
Click on the Site-to-site VPN menu to see the status of the SSL VPN connection on the overview page. The status icon there turns green when the connection is established. Then information about the interconnected subnets on both sides of the tunnel becomes available, too.
Manually create firewall rules on Sophos UTM
Firewall rules are automatically created only for site-to-site VPN tunnels between Sophos UTM devices. For other implementations, including Sophos Firewall and third-party VPN devices, you must manually create firewall rules to allow traffic between the two devices.
To create a firewall rule to allow traffic from the client to server, do as follows:
- Go to Network protection > New rule.
- Select the matching criteria as follows:
- Source: LAN interface of UTM
- Destination: LAN interface of the VPN Server
- Action: Allow
- Turn on the rule.
To create a firewall rule to allow traffic from the server to client, do as follows:
- Go to Network protection > New rule.
- Select the matching criteria as follows:
- Source: LAN interface of the VPN Server
- Destination: LAN interface of UTM
- Action: Allow
- Turn on the rule.