advertisement
| Configure | 251
A virtual private network (VPN) is a tunnel that carries private network traffic from one endpoint system to another over a public network such as the Internet without the traffic, being aware that there are intermediate hops between the endpoints or the intermediate hops being aware they are carrying the network packets that are traversing the tunnel. The tunnel may optionally compress and/or encrypt the data, providing enhanced performance and some measure of security. VPN allows you to pretend you are using a leased line or a direct telephone call to communicate between the endpoints. VPNs allow users and telecommuters to connect to their corporate intranets or extranets.
VPNs are cost-effective because users can connect to the Internet locally and tunnel back to connect to corporate resources. This not only reduces overhead costs associated with traditional remote access methods, but also improves flexibility and scalability. For all business people traveling or working from home, connecting securely to the corporate network is essential. With the device, setting up a VPN is almost effortless.
The two endpoints in deevice VPN are referred to as:
• Local - First endpoint is the local machine itself.
• Remote - Second endpoint is the remote peer - the machine you are trying to establish a VPN connection to, or the machine which is trying to establish a VPN connection with you.
Device VPN automatically encrypts the data and sends it to the remote site over the Internet, where it is automatically decrypted and forwarded to the intended destination. By encrypting, the integrity and confidentiality of data is protected even when transmitted over the un-trusted public network. Device uses IPsec standard i.e. IPsec protocol to protect traffic. In IPsec, the identity of communicating users is checked with the user authentication based on digital certificates, public keys or preshared keys.
Device ensures that all the VPN traffic passing through the VPN tunnels is threat free. All the firewall rules and policies are applicable to the traffic going into the VPN tunnels and coming out of the VPN tunnels. Device inspects all the traffic passing through the VPN tunnels and makes sure that there are no viruses, worms, spam, and inappropriate content or intrusion attempts in the VPN traffic. As VPN traffic is by default subjected to the DoS inspection, the device provides a facility by which one can bypass scanning of traffic coming from certain hosts from a VPN zone. The above functionality is achieved by adding one additional zone called VPN zone. VPN traffic passes through the VPN zone and a firewall rule can be applied to the VPN zone.
Device can be used to establish VPN connection between sites, LAN-to-LAN and client-to-LAN connection. VPN is the bridge between local & remote networks/subnets.
Device supports following protocols to authenticate and encrypt traffic:
• Internet Protocol Security (IPsec)
• Layer Two Tunneling Protocol (L2TP)
• Point-to-Point Tunneling Protocol (PPTP)
• Secure Socket Layer (SSL)
IPsec Connections
The IPsec menu allows you to create and manage IPsec connections and failover groups.
IP Security (IPsec) is a suite of protocols designed for cryptographically secure communication at the IP layer (layer
3).
IPsec protocols:
• Authentication Header (AH) – Used for the authentication of packet senders and for ensuring the integrity of packet data. The authentication header protocol (AH) checks the authenticity and integrity of packet data. In addition, it ensures that sender and receiver IP addresses have not been changed during transmission. Packets are authenticated using a checksum created by using a hash-based message authentication code (HMAC) in connection with a key.
• Encapsulating Security Payload (ESP) – Used for encrypting the entire packet and for authenticating its contents. In addition to encryption, ESP provides the ability to authenticate senders and verify packet contents.
This page contains two (2) sections:
1.
2.
| Configure | 252
IPsec Connections
The IPsec Connections section displays a list of all the IPsec connections. You can filter the list based on name, group name, policy name, connection type, and status of the connection. The page also provides the option to add a new connection, update the parameters of the existing policy, or delete a policy. In addition, you can create a connection manually or through the connection wizard. In case of a remote access connection export the connection configuration by clicking the Export icon under the Manage column.
Note: You can also view and manage active IPsec connections on the System > Current Activity > IPsec
Connections page.
The status of each connection is indicated as follows:
Connection Status
Active Connection
Description
Connection is active but not connected. Click to initiate the connection.
Connection is active and connected. Click to disconnect the connection.
When you disconnect, the connection will be deactivated. To re-establish the connection, activate the connection.
Connection is active but only partially connected. Click to disconnect the connection. When multiple subnets are configured for LAN and/or remote network, the device creates a sub-connection for each subnet. This status indicates that one of the sub-connections is not active.
Connection is inactive. Click to activate the connection.
Failover Group
Connection Failover
Connection Failover is a feature that enables you to provide an automatic backup connection for VPN traffic and provide “Always ON” VPN connectivity for IPsec connection. If the primary connection fails, the subsequent connection in the group will take over without manual intervention and keep traffic moving. The entire process is transparent to users.
Connection Failback
During a connection failure, the device checks the health of a primary connection every 60 seconds. When the primary connection is restored without the administrator’s intervention, the secondary connection fails back to the primary connection.
Connection Failover Group
A VPN group is a grouping of IPsec connections. The phase 1 and phase 2 security parameters for each connection in a group can be different or identical except for the IP address of the remote gateway. The order of connections in the group defines the failover priority of the connection. Failover to the next connection will not occur if the group is manually deactivated.
The failover group containing the connection must be activated for the first time before participating in the failover.
Failover to the next connection will not occur if the group is manually disconnected.
When the primary connection fails, the subsequent active connection in the group takes over without manual intervention and keeps traffic moving. For example, if the connection established using the 4th connection in the group is lost then the 5th connection will take over. Once the 4th connection is re-stored, the 5th connection will automatically fail back on the 4th connection.
The device considers a Site to Site and Host to Host connection as failed connection if the remote peer does not reply.
| Configure | 253
Connections that are not a part of the connection group do not participate in failover/failback process and such connections will not be re-established automatically if lost.
To configure connection failover, you have to:
• Create connections.
• Create a failover group. A failover group is created by grouping all the connections that are to be used for failover.
The order of connections in the group defines the failover priority of the connection.
• Define a failover condition.
Prerequisites
• Packets of the protocol specified in the failover condition must be allowed from local server to remote server and its reply on both local and remote server
• One connection can only be member of single group
• Connection must be ACTIVE to participate in failover
Procedure
1. Once the connection is added as a member of the group, DPD is configured as “Disable”, Key Negotiation Tries as
3, and Action on VPN Restart as “Disable”.
2. Once the connection is removed from the group, the original policy and connection configuration will be considered.
3. If the connection is already established at the time of adding it in the failover group, it will get disconnected.
4. On factory reset, failover configuration will not be retained.
The Failover Group section displays the list of created failover groups. You can filter or sort the groups based on group name. You can add a new group, update, or delete the group. In addition, the list displays the status of the group as: indicating an activate group while indicates an inactive group.
Types of IPsec Connections
IPsec connection is the encrypted VPN connection established between two systems using the Internet protocol security (IPsec). It can link two hosts, two sites or remote user and a LAN.
The device supports following types of IPsec connections:
•
– This type of VPN is a user-to-internal network connection via a public or shared network. Many
large companies have employees that need to connect to the internal network from the field. These field agents access the internal network by using remote computers and laptops without a static IP address.
•
– A Site to Site VPN connects an entire network (such as a LAN or WAN) to a remote network via a
network-to-network connection. A network-to-network connection requires routers on each side of the connecting networks to transparently process and route information from one node on a local LAN to another node on a remote LAN.
•
– Host to Host VPN connects one desktop or workstation to another station by way of a host-to-host connection. This type of connection uses the network to which each host is connected to create a secure tunnel between the two.
Select to
•
Add IPsec Remote Access Connection
•
Add IPsec Site to Site Connection
•
Add IPsec Host to Host Connection
on page 262
Add IPsec Remote Access Connection
1. Go to Configure > VPN > IPsec Connections and click Add in the section IPsec Connections.
2. Specify the GeneralSettings details.
Name
Enter a unique name to identify the IPsec connection.
Description
Enter a description for the IPsec VPN connection.
Connection Type
Select Remote Access.
Policy
Select the policy to be used for connection.
Action on VPN Restart
Select the action to be taken on the connection when VPN services or the device restarts.
Available options:
• Respond Only – Keeps connection ready to respond to any incoming request.
• Disable – Keeps connection disabled until the user activates it.
| Configure | 254
Figure 252: General Settings
3. Specify the Authentication Details.
Authentication Type
Select the authentication type. Authentication of the user depends on the type of connection.
Available Options:Preshared Key
Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. Remote peer uses the preshared key for decryption. On selecting this option the user needs to provide the following details:
• Preshared Key – Specify the preshared key to be used. Preshared key should be of minimum 5 characters.
• Confirm Preshared Key – Enter the same preshared key to confirm it.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client has to specify this key for authentication. If there is a mismatch in the key, user will not be able to establish the connection.
Digital Certificate
Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.
• Local Certificate – Select the local certificate that should be used for authentication by the device.
• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.
Figure 253: Authentication Details
4. Specify the Endpoint Details.
Local
Select local WAN port from the list.
IP aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote
Specify an IP address or domain name of the remote peer.
Figure 254: Endpoints Details
5. Specify the Network Details.
IP Family
IP family will be enabled automatically according to the IP selected in local WAN port.
Local Subnet
Select local LAN address.
Add and remove LAN address using Add button and Remove button.
Local ID (available only if Authentication Type selected is Preshared Key)
Select any type of ID from the available options and specify its value.
Available options:
• DNS
• IP Address
• Email Address
• DER ASN1 DN(X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
Allow NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when the remote peer has private/non-routable IP address.
At a time only one connection can be established behind one NAT box.
Remote LAN Network
Select IP hosts from the list of available IP hosts.
A new IP host can be created by clicking on Add New Item or through the System > Hosts and
Services > IP Host page.
Remote ID (available only if Authentication Type selected is Preshared Key)
For preshared key, select any type of ID from the available options and specify its value.
Available options:
| Configure | 255
• DNS
• IP Address
• Email Address
• DER ASN1 DN(X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
| Configure | 256
Figure 255: Network Details
6. Specify the User Authentication details.
User Authentication Mode
Select whether user authentication is required at the time of connection or not from the available options.
Available options:
• Disabled – Click if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
Figure 256: User Authentication
7. Specify the Quick Mode Selectors details.
Protocol
Select all the protocols that are to be allowed for negotiations.
Tunnel will pass only that data which uses the specified protocol.
Available options:
• All
• ICMP
• UDP
• 'TCP
Local Port (available only if Protocol selected is UDP or TCP)
Specify local port number that the local VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 – 65535
To specify any local port, enter *.
Remote Port (available only if Protocol selected is UDP or TCP)
Specify remote port number that the remote VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 – 65535
To specify any local port, enter *.
| Configure | 257
Figure 257: Quick Mode Selectors
8. Specify Advanced Settings details.
Disconnect when tunnel is idle
Click this option to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
The default setting is disabled.
Idle session time interval (available only if Disconnect when tunnel is idle is enabled)
Specify the time limit after which an idle VPN session will be deleted by the device.
Acceptable range: 120 to 999
Figure 258: Advanced Settings
9. Click Save.
Add IPsec Site to Site Connection
1. Go to Configure > VPN > IPsec Connections and click Add in the section IPsec Connections.
2. Specify the General Settings details.
Name
Enter a unique name to identify the IPsec connection.
Description
Enter a description for the IPsec VPN connection.
Connection Type
Select Site to Site.
Policy
Select the policy to be used for connection.
A new policy can be added by clicking Create newor through the Configure > VPN > IPsec
Profiles page.
Action on VPN Restart
Select the action to be taken on the connection when VPN services or the device restarts.
Available options:
• Respond Only – Keeps connection ready to respond to any incoming request.
• Disable – Keeps connection disabled until the user activates it.
• Initiate – Activates connection on system/service start so that the connection can be established whenever required.
| Configure | 258
Figure 259: General Settings
3. Specify the Authentication details.
Authentication Type
Select the authentication type. Authentication of the user depends on the type of connection.
Available options:Preshared Key
Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. Remote peer uses the preshared key for decryption. On selecting this option the user needs to provide the following details:
• Preshared Key – Specify the preshared key to be used. Preshared key should be of minimum 5 characters.
• Confirm Preshared Key – Enter the same preshared key to confirm it.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. If there is a mismatch in the key, user will not be able to establish the connection.
Digital Certificate
Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.
• Local Certificate – Select the local certificate that should be used for authentication by the device.
• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.
RSA Key
RSA Key authentication is a mechanism whereby two keys – local and remote RSA - are used for encryption and decryption.
• Local RSA Key – It is known only to the owner and never transmitted over network. Displays automatically generated key which cannot be modified.
• Remote RSA Key – It can be regenerated from CLI console. Refer to the console guide for more details.
| Configure | 259
Figure 260: Authentication Details
4. Specify the Endpoint Details.
Local
Select local WAN port from the list.
IP aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote
Specify an IP address or domain name of the remote peer.
Click Add icon next to the option field to add new endpoint pairs or click Remove icon to remove the endpoint pairs.
For any new endpoint pair, specify a failover group name and define the failover condition.
Figure 261: Endpoints Details
5. Specify the Network Details
IP Family
Select IP family to configure IPsec VPN tunnels with mixed IP families.
Available options:
• IPv4
• IPv6
By default, IPv4 will be selected.
Four types of IPsec VPN tunnels can be created:4 in 4 (IPv4 subnets with IPv4 gateway)6 in 6 (IPv6 subnets with IPv6 gateway)4 in 6 (IPv4 subnets with IPv6 gateway)6 in 4 (IPv6 subnets with IPv4 gateway)
Local Subnet
Select local LAN address.
Add and remove LAN address using Add button and Remove button.
Local ID (available only if Authentication Type selected is Preshared Key or RSA Key)
Select any type of ID from the available options and specify its value.
Available options:
• DNS
• IP Address
• Email Address
• DER ASN1 DN(X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
Allow NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when the remote peer has private/non-routable IP address.
At a time only one connection can be established behind one NAT box.
Remote LAN Network
Select IP hosts from the list of available IP hosts.
A new IP host can be created by clicking on Add New Item or through the System > Hosts and
Services > IP Host page.
Remote ID (available only if Authentication Type selected is Preshared Key or RSA Key)
Select any type of ID from the available options and specify its value.
Available options:
• DNS
• IP Address
• Email Address
• DER ASN1 DN(X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
| Configure | 260
Figure 262: Network Details
6. Specify the User Authentication details.
User Authentication Mode
Select whether user authentication is required at the time of connection or not from the available options.
Available options:
• Disabled – Click if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
| Configure | 261
Figure 263: User Authentication
7. Specify Quick Mode Selectors details.
Protocol
Select all the protocols that are to be allowed for negotiations.
Tunnel will pass only that data which uses the specified protocol.
Available options:
• All
• ICMP
• UDP
• TCP
Local Port (available only if Protocol selected is UDP or TCP)
Specify local port number that the local VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
Remote Port (available only if Protocol selected is UDP or TCP)
Specify remote port number that the remote VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
Figure 264: Quick Mode Selectors
8. Specify Advanced Settings details.
Disconnect when tunnel is idle
Click this option to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
Default: disabled.
Idle session time interval (available only if Disconnect when tunnel is idle is enabled)
Specify the time limit after which an idle VPN session will be deleted by the device.
Acceptable range: 120 to 999
Figure 265: Advanced Settings
9. Click Save.
Add IPsec Host to Host Connection
This page describes how to create an IPsec Host to Host connection.
1. Go to Configure > VPN > IPsec Connections and click Add in the IPsec Connections section.
2. Specify the General Settings details.
Name
Enter a unique name for the IPsec connection.
Description
Enter a description for the IPsec VPN connection.
Connection Type
Select Host to Host.
Policy
Select the policy to be used for the connection.
A new policy can be added by clicking Create new or on the Configure > VPN > IPsec Profiles page.
Action on VPN Restart
Select the action to be taken on the connection when VPN services or the device restarts.
Available Options:
• Respond Only – Keeps the connection ready to respond to any incoming request.
• Disable – Keeps the connection disabled until the user activates it.
• Initiate – Activates the connection on system/service start so that the connection can be established whenever required.
| Configure | 262
Figure 266: General Settings
3. Specify the Authentication Details.
Authentication Type
Select the authentication type. Authentication of the user depend on the type of connection.
Available Options:
• Preshared Key – Preshared Key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. Remote peer uses the preshared key for decryption. On selecting this option the user needs to provide the following details:
• Preshared Key – Specify the preshared key to be used. Preshared key should be of minimum 5 characters.
• Confirm Preshared Key – Provide the same preshared key to confirm it.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. If there is a mismatch in the key, user will not be able to establish the connection.
• Digital Certificate – Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.
• Local Certificate – Select the local certificate that should be used for authentication by the device.
• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.
• RSA Key – RSA Key authentication is a mechanism whereby two keys – local and remote RSA
- are used for encryption and decryption.
• Local RSA Key – It is known only to the owner and never transmitted over network.
Displays automatically generated key which cannot be modified.
• Remote RSA Key – It can be regenerated from CLI console. Refer to the console guide for more details.
| Configure | 263
Figure 267: Authentication Details
4. Specify the Endpoint Details.
Local
Select local WAN port from the list.
IP aliases created for WAN interfaces will be listed along with the default WAN interfaces.
Remote
Specify an IP address or domain name of the remote peer.
Click the add icon next to the option field to add new endpoint pairs or click the remove icon
to remove the endpoint pairs.
For any new endpoint pair, specify a failover group name and define the failover condition.
Figure 268: Endpoints Details
5. Specify the Network Details.
Local ID (available only if selected Authentication Type is Preshared Key or RSA Key)
Select any type of ID from the available options and specify its value.
Available Options:
• DNS
• IP Address
• DER ASN1 DN (X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
Allow NAT Traversal
Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when the remote peer has private/non-routable IP address.
At a time only one connection can be established behind one NAT box.
Remote LAN Network (available only if Allow NAT Traversal is enabled)
Select IP hosts from the list of available IP hosts.
A new IP host can be created by clicking on Add New Item or on the System > Hosts and
Services > IP Host page.
Remote ID (available only if selected Authentication Type is Preshared Key or RSA Key)
Select any type of ID from the available options and specify its value.
Available Options:
• DNS
| Configure | 264
• IP Address
• DER ASN1 DN (X.509)
Note: In case of Local Certificate, the ID and its value are displayed automatically as specified in the certificate.
| Configure | 265
Figure 269: Network Details
6. Specify User Authentication details.
User Authentication Mode
Select whether user authentication is required at the time of connection or not from the available options.
Available Options:
• Disabled – Click if user authentication is not required.
• Enable as Client – If enabled as client, specify username and password.
• Enable as Server – If enabled as server, add all the users which are to be allowed to connect.
Figure 270: User Authentication
7. Specify Quick Mode Selectors details.
Protocol
Select all the protocols that are to be allowed for negotiations.
Tunnel will pass only that data which uses the specified protocol.
Available Options:
• All
• ICMP
• UDP
• TCP
Local Port (available only if Protocol selected is UDP or TCP)
Specify local port number that the local VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
Remote Port (available only if Protocol selected is UDP or TCP)
Specify remote port number that the remote VPN peer uses to transport the traffic related to TCP or
UDP protocol.
Acceptable range: 1 to 65535
To specify any local port, enter *.
| Configure | 266
Figure 271: Quick Mode Selectors
8. Specify Advanced Settings details.
Disconnect when tunnel is idle
Enable to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.
Idle session time interval (available only if Disconnect when tunnel is idle is enabled)
Specify the time limit after which an idle VPN session will be deleted by the device.
Acceptable range: 120 to 999
Figure 272: Advanced Settings
9. Click Save.
IPsec Connection Wizard
The IPsec Connection Wizard allows you to configure a VPN connection manually.
The wizard is not available if you are managing the device through Sophos Firewall Manager.
The VPN Connection Wizard takes you step-by-step through the configuration of a VPN connection on the device.
After the configuration is completed, the wizard creates a new VPN connection.
Wizard is divided into two panels – Configuration panel and Help panel. Configuration parameters are to be entered in the Configuration panel while the Help panel on left-most side provides the help on the configuration parameters.
First screen of the wizard provides an overview of the configuration steps. You can create three types of connections through wizard:
•
•
•
| Configure | 267
Creating Remote Access Connection Using VPN Wizard
Go to Configure > VPN > IPsec Connections. Click Wizard and follow the steps given below.
Specify name and description (if required) for a VPN connection and click Start. The Help panel on left-most side provides an overview of each configuration step.
On the Select a Connection Type page
1. Select the connection type Remote Access.
2. Select VPN policy to be applied to the connection traffic. Default policies as well as custom policies applicable to connection will be displayed.
3. Select action to be taken on the connection when VPN services or the device restart.
Available options:
• Disable – Connection will be disabled till the user activates it.
• Respond Only – Connection in ready state to respond to any incoming request.
4. Click > icon to continue.
On the Authentication Details page
1. Select authentication type.
Available options:
Preshared Key
Digital Certificate
Specify the preshared key of minimum 5 characters.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. Refer to the VPN client guide, Phase 1
Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
Select local certificate that should be used for authentication by the device.
Select remote certificate that should be used for authentication by the remote peer.
2. Click > to continue.
On the Local Network Details page
1. Select Local WAN Port. Selected port acts as an end-point of the tunnel.
2. Select Local Subnet. Select the local network(s) you wish to give access to remote users via this connection.
3. Select Local ID.
For Preshared Key and Digital Certificate, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
For Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
4. Click > to continue.
On the Remote Network Details page
1. In the Remote VPN Server field specify the IP address or host name of the remote endpoint.
To specify any IP address, enter *.
2. Enable NAT traversal if a NAT device exists between your VPN endpoints i.e. when remote peer has private/nonroutable IP address.
3. Select Remote Subnet. Select the remote network(s) that you wish to access via this connection. This option will be available only if NAT traversal is enabled.
4. Select Remote ID.
| Configure | 268
For Preshared Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
5. Click > to continue.
On the User Authentication page
1. Select User Authentication Mode.
Available options:
• Disabled – Choose if authentication is not required.
• Enable as Client – Enter username and password for authentication by the remote gateway.
• Enable as Server – Select all the users that are to be allowed to connect.
2. Click > to continue.
On the IPsec Connection Summary page
The page displays the settings with which the IPsec connection will be created.
Click Finish to create the IPsec connection or click < to go back to the previous page and change the settings.
Creating Site to Site Connection using VPN Wizard
Go to Configure > VPN > IPsec Connections. Click Wizard and follow the steps given below:
Specify name and description (if required) for a VPN connection and click Start. The Help panel on left-most side provides an overview of each configuration step.
On the Select a Connection Type page
1. Select the connection type Site to Site.
2. Select VPN policy to be applied to the connection traffic. Default policies as well as custom policies applicable to connection will be displayed.
3. Select action to be taken on the connection when VPN services or the device restart.
Available options:
• Disable – Connection will be disabled until the user activates it.
• Respond Only – Connection is in ready state to respond to any incoming request.
• Initiate – Initiate to establish the connection every time VPN services or the device restart.
4. Click > icon to continue.
On the Authentication Details page
1. Select authentication type.
Available options:
Preshared Key
Digital Certificate
Specify the preshared key of minimum 5 characters.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. Refer to the VPN client guide, Phase 1
Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
Select local certificate that should be used for authentication by the device.
Select remote certificate that should be used for authentication by the remote peer.
| Configure | 269
RSA
Local RSA key is displayed which can be re-generated from the CLI console. Refer to the console guide for more details. Specify remote RSA key.
2. Click > to continue.
On the Local Network Details page
1. Select Local WAN Port. Selected port acts as an end-point of the tunnel.
2. Select Local Subnet. Select the local network(s) you wish to give access to remote users via this connection.
3. Select Local ID.
For Preshared Key and RSA Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
For Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
4. Click > to continue.
On the Remote Network Details page
1. In the Remote VPN Server field specify the IP address or host name of the remote endpoint.
To specify any IP address, enter *.
2. Enable NAT traversal if a NAT device exists between your VPN endpoints i.e. when remote peer has private/nonroutable IP address.
3. Select Remote Subnet. Select the remote network(s) that you wish to access via this connection. This option will be available only if NAT traversal is enabled.
4. Select Remote ID.
For Preshared Key and RSA Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
5. Click > to continue.
On the User Authentication page
1. Select User Authentication Mode.
Available options:
• Disabled – Choose if authentication is not required.
• Enable as Client – Enter username and password for authentication by the remote gateway.
• Enable as Server – Select all the users that are to be allowed to connect.
2. Click > to continue.
On the IPsec Connection Summary page
The page displays the settings with which the IPsec connection will be created.
Click Finish to create the IPsec connection or click < to go back to the previous page and change the settings.
Creating Host to Host Connection using VPN Wizard
Go to Configure > VPN > IPsec Connections. Click Wizard and follow the steps given below:
Specify name and description (if required) for a VPN connection and click Start. The Help panel on left-most side provides an overview of each configuration step.
On the Select a Connection Type page
1. Select the connection type Host to Host.
2. Select VPN policy to be applied to the connection traffic. Default policies as well as custom policies applicable to connection will be displayed.
3. Select action to be taken on the connection when VPN services or the device restart.
| Configure | 270
Available options:
• Disable – Connection will be disabled until the user activates it.
• Respond Only – Connection is in ready state to respond to any incoming request.
• Initiate – Initiate to establish the connection every time VPN services or the device restart.
4. Click > icon to continue.
On the Authentication Details page
1. Select authentication type.
Available options:
Preshared Key
Specify the preshared key of minimum 5 characters.
This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. Refer to the VPN client guide, Phase 1
Configuration.
If there is a mismatch in the key, the user will not be able to establish the connection.
Digital Certificate
RSA
Select local certificate that should be used for authentication by the device.
Select remote certificate that should be used for authentication by the remote peer.
Local RSA key is displayed which can be re-generated from the CLI console. Refer to the console guide for more details. Specify remote RSA key.
2. Click > to continue.
On the Local Network Details page
1. Select Local WAN Port. Selected port acts as an end-point of the tunnel.
2. Select Local ID.
For Preshared Key and RSA Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
For Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
3. Click > to continue.
On the Remote Network Details page
1. In the Remote VPN Server field specify the IP address or host name of the remote endpoint.
To specify any IP address, enter *.
2. Enable NAT traversal if a NAT device exists between your VPN endpoints i.e. when remote peer has private/nonroutable IP address.
3. Select Remote Subnet. Select the remote network(s) that you wish to access via this connection. This option will be available only if NAT traversal is enabled.
4. Select Remote ID.
For Preshared Key and RSA Key, select any type of ID and enter its value. DER ASN1 DN (X.509) is not applicable.
In case of Local Certificate, the ID and its value configured in the local certificate are displayed automatically.
5. Click > to continue.
On the User Authentication page
| Configure | 271
1. Select User Authentication Mode.
Available options:
• Disabled – Choose if authentication is not required.
• Enable as Client – Enter username and password for authentication by the remote gateway.
• Enable as Server – Select all the users that are to be allowed to connect.
2. Click > to continue.
On the IPsec Connection Summary page
The page displays the settings with which the IPsec connection will be created.
Click Finish to create the IPsec connection or click < to go back to the previous page and change the settings.
Add VPN Failover Group
AVPN failover group enables you to have an always-on VPN connection. If the primary connection fails, the subsequent connection in the group will take over without manual intervention and keep traffic moving. The entire process is transparent to users.
1. Go to Configure > VPN > IPsec Connections and click Add in the section Failover Group.
2. Enter details of the group.
Name
Enter a unique name for the connection group.
Select Connections(s)
The Available Connections list displays the list of connections that can be added to the failover group. Click on the connections to be added to the Member Connections list. The device will select the subsequent active connection from the member connections list if the primary connection fails.
Connections having endpoints of different families can also be added to the failover group.
Top down order of connections in the Member Connections list specifies the failover preference i.e. if the primary connection fails the very next connection in the list will be used by the device to keep the VPN traffic moving.
Once the connection is included in any group, it will not be displayed in the Available Connection list.
Remote access connections will not be listed in the Available Connections list.
You need to add at least two member connections in a group.
Mail Notification
Enable to receive connection failure notification in case the connection fails. Notification is mailed on the email address configured in the email settings from the Network Configuration Wizard.
Figure 273: Connection Group
| Configure | 272
Details
Failover Condition
Specify the failover condition. The device checks for the connection failure after every 60 seconds and if failure is detected, VPN traffic is transferred through the subsequent connection specified in the connection group. The device considers a connection as failed connection if failover conditions are not met.
Specify communication protocol as TCP or PING. Select the protocol depending on the service to be tested on the remote server or local gateway depending on type of connection.
A request on the specified port is sent and if it is not responding, the device considers the connection as failed and shifts the traffic to the subsequent connection.
Configure gateway failover timeout from Configure > Network > WAN Link Manager.
Failover Condition is not applicable if:
• Connection is manually disconnected from either of the ends.
• Connection is not included in any group.
Figure 274: Failover
Condition
3. Click Save.
advertisement
Key Features
- Firewall rules
- Web filtering
- Intrusion prevention
- VPN
- Wireless management
- Email security
- Advanced threat protection
Related manuals
Frequently Answers and Questions
What is the purpose of Sophos XG Firewall?
What are the key features of Sophos XG Firewall?
How do I access the Sophos XG Firewall web interface?
How do I configure basic firewall rules?
How do I enable web filtering?
What is the difference between a user rule and a network rule?
How do I create a VPN tunnel?
advertisement