Configure IPsec remote access VPN with Sophos Connect client

You can configure IPsec remote access connections. Users can establish the connection using the Sophos Connect client.

Introduction

To configure and establish IPsec remote access connections over the Sophos Connect client, do as follows:

• Optional: Generate a locally-signed certificate.
• Configure the IPsec remote access connection.
• Send the configuration file to users.
• Optional: Assign a static IP address to a user
• Add a firewall rule.
• Allow access to services.
• Send the Sophos Connect client to users. Alternatively, users can download it from the user portal.

Users must do as follows:

• Install the Sophos Connect client on their endpoint devices.
• Import the configuration file into the client and establish the connection.

Configure a locally-signed certificate

1. Go to Certificates > Certificates and click Add.

2. Select Generate locally-signed certificate.
   Alternatively, you can select Upload certificate if you have one.

   

3. Specify the Certificate details for the locally-signed certificate.
   Here's an example:

   

4. Specify the Subject Name attributes.
   Here's an example:

   

5. Under Subject Alternative Names, enter a DNS name or IP address and click the add (+) button.
   Here's an example:

   

Configure IPsec (remote access)

Specify the settings for IPsec remote access connections.

1. Go to VPN > IPsec (remote access) and click Enable.

2. Specify the general settings.

   Name	Example settings
   Interface	203.0.113.1 Select a WAN port.
   Authentication type	Digital certificate
   Local certificate	Appliance certificate
   Remote certificate	TestCert Select a locally-singed certificate. Alternatively, select a certificate you've uploaded to Certificates > Certificates.
   Local ID	The firewall automatically selects the local ID for digital certificates. Make sure you've configured a certificate ID for the certificate.
   Remote ID	Make sure you've configured a certificate ID for the certificate.
   Allowed users and groups	TestGroup

   Here's an example:

   

3. Specify the client information.
   Here's an example:

   Name	Example settings
   Name	TestRemoteAccessVPN
   Assign IP from	192.168.1.11 192.168.1.254
   DNS server 1	192.168.1.5

   

4. Specify the advanced settings you want and click Apply.

   Name	Example settings
   Permitted network resources (IPv4)	LAN_10.1.1.0 DMZ_192.168.2.0
   Send Security Heartbeat through tunnel	Sends the Security Heartbeat of remote clients through the tunnel.
   Allow users to save username and password	Users can save their credentials.

   Here's an example:

   

5. Click Export connection at the bottom of the page.

   The exported tar.gz file contains a .scx file and a .tgb file.

   

6. Send the .scx file to users.

7. Optionally, download the client and send it to users.

Optional: Assign a static IP address to a user

To assign a static IP address to a user connecting through the Sophos Connect client, do as follows:

1. Go to Authentication > Users, and select the user.

2. On the user's settings page, go down to IPsec remote access, click Enable, and enter an IP address.

   Here's an example:

   

Add a firewall rule

Configure a firewall rule to allow traffic from VPN to LAN and DMZ since you want to allow remote users to access these zones in this example.

1. Enter a name.

2. Specify the source and destination zones as follows and click Apply:

   Name	Example settings
   Source zones	VPN
   Destination zones	LAN DMZ

   Here's an example:

   

   Note

   Under advanced settings for IPsec (remote access), if you select Use as default gateway, the Sophos Connect client sends all traffic, including traffic to the internet, from the remote user through the tunnel. To allow this traffic, you must additionally set the Destination zone to WAN in the firewall rule.

Allow access to services

You must allow access to services, such as the user portal and ping from VPN.

1. Go to Administration > Device access.

2. Select the checkbox under User portal for the following:

   1. WAN
   2. Wi-Fi

   This allows users to sign in to the user portal and download the Sophos Connect client. We recommend that you only allow temporary access from the WAN. 3. Select the checkboxes for VPN under the following: 1. User portal: Allows remote users to access the user portal through VPN. 2. Optional: DNS: Allows remote users to resolve domain names through VPN if you've specified DNS resolution through the firewall. 3. Optional: Ping/Ping6: Allows remote users to check VPN connectivity with the firewall. 4. Click Apply.

   

Configure Sophos Connect client on endpoint devices

Users must install the Sophos Connect client on their endpoint devices and import the .scx file to the client.

You can download the Sophos Connect client installers from the Sophos Firewall web admin console and share these with users.

Alternatively, users can download the Sophos Connect client from the user portal as follows:

1. Sign in to the user portal.
2. Click VPN.

3. Under Sophos Connect client, click one of the following options:

   • Download for Windows
   • Download for macOS

   

4. Click the Sophos Connect client.

   You can then see it in the system tray of your endpoint device.

5. Click the three dots button in the upper-right corner, click Import connection, and select the .scx file your administrator has sent.

   

6. Sign in using your user portal credentials.

   

7. Enter the verification code if two-factor authentication is required.

IPsec remote access connection will be established between the client and Sophos Firewall.