Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

4. Specify the Advanced Settings.

Disconnect when tunnel is idle

Click to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.

Idle session time interval (available only if Disconnect when tunnel is idle option is enabled)

Specify the time limit after which an idle VPN session will be deleted by the device.

Acceptable Range: 120 to 999

Apply

Click to accept and save the Cisco VPN client configuration.

Export Connection (available only if a Cisco VPN connection is configured)

Click to export Cisco VPN client configuration.

Once the .tgb file has been exported, it has to be passed to the client.

On the client side, the client needs the Sophos IPsec client to import the .tbg file and establish a connection to Sophos XG Firewall.

The Sophos IPsec VPN client may be downloaded from

https://www.sophos.com/en-us/support/utmdownloads.aspx

.

Note: You cannot export the connection when an external certificate is selected as

Remote Certificate.

Reset

Click to delete the entire Cisco VPN client configuration.

| Configure | 281

Figure 286: Advanced Settings

L2TP (Remote Access)

The L2TP Connections page displays a list of all the L2TP connections and you can sort the list based on the connection name. The page also provides the option to add a new connection, update existing connections, or delete a connection. The page displays the status of each connection as follows:

Connection Status

Active Connection

Description

Connection is active but not connected.

Click to initiate the connection.

Connection is active and connected.

Click to disconnect the connection. When you disconnect, the connection will be deactivated and to re-establish the connection, click again to activate the connection.

Connection is inactive. Click to activate the connection.

Add L2TP Connection

This page describes how to create an L2TP connection.

1. Go to Configure > VPN > L2TP (Remote Access) and click Add.

2. Specify the General Settings.

Name

Enter a unique name for the L2TP connection.

Description

Enter a description for the L2TP connection.

Policy

Select a policy to be used for the connection.

A new policy can be added by clicking Create New.

Action on VPN Restart

Select the action to be taken on the connection when VPN services or the device restart.

Available Options:

• Respond Only – Keeps the connection ready to respond to any incoming request.

• Disable – Keeps the connection disabled until the user activates it.

| Configure | 282

Figure 287: General Settings

3. Specify the Authentication Details.

Authentication Type

Select the authentication type. Authentication of the user depends on the type of connection.

Available Options:

• Preshared Key – Preshared key authentication is a mechanism whereby a single key is used for encryption and decryption. Both peers should possess the preshared key. The remote peer uses the preshared key for decryption. On selecting this option the user shall has to provide the following details:

• Preshared Key – Specify the preshared key to be used. The preshared key should be of minimum 5 characters.

• Confirm Preshared Key – Provide the same preshared key to confirm it.

This preshared key will have to be shared or communicated to the peer at the remote end. At the remote end, the client will have to specify this key for authentication. If there is a mismatch in the key, the user will not be able to establish the connection.

• Digital Certificate – Digital certificate authentication is a mechanism whereby sender and receiver both use a digital certificate issued by the certificate authority. Both sender and receiver must have each other’s certificate authority.

• Local Certificate – Select the local certificate that should be used for authentication by the device.

• Remote Certificate – Select the remote certificate that should be used for authentication by the remote peer.

| Configure | 283

Figure 288: Authentication Details

4. Specify the Local Network Details.

Local WAN Port

Specify the local port number that the local VPN peer uses to transport traffic related to TCP or

UDP protocol.

Acceptable range: 1 to 65535

To specify any local port, enter *.

Local ID (available only if Authentication Type selected is Preshared Key)

Select any type of ID from the available options and specify its value.

Available Options:

• DNS

• IP Address

• Email

• DER ASN1 DN (X.509)

Note: DER ASN1 DN (X.509) can not be used for Preshared Key authentication.

If Digital Certificate is selected, the ID and its value is displayed automatically as specified in the

Local Certificate.

Figure 289: Local Network Details

5. Specify the Remote Network Details.

Remote Host

Specify the IP address or hostname of the remote end-point. Specify * for any IP address.

Allow NAT Traversal

Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when the remote peer has a private/non-routable IP address.

At a time only one connection can be established behind one NAT-box.

Remote LAN Network

Select an IP addresses and netmask of the remote network which is allowed to connect to the device server through a VPN tunnel. Multiple subnets can be specified. Select IP hosts from the list of IP hosts available on the Admin console.

You can also add a new IP host by clicking Create New or on System > Hosts and Services > IP

Host.

Remote ID

Select any type of ID from the available options and specify its value.

Available Options:

• DNS

• IP Address

• Email

• DER ASN1 DN (X.509)

Note: DER ASN1 DN (X.509) can not be used for Preshared Key authentication.

| Configure | 284

Figure 290: Remote Network Details

6. Specify the Quick Mode Selectors.

Local Port

Specify local port number that the local VPN peer uses to transport the traffic related to TCP or

UDP protocol.

Default: 1701

Acceptable range: 1 to 65535

To specify any local port, enter *.

Remote Port

Specify remote port number that the remote VPN peer uses to transport the traffic related to TCP or

UDP protocol.

Default: *

Acceptable range: 1 to 65535

To specify any local port, enter *.

Figure 291: Quick Mode Selectors

7. Specify the Advanced Settings.

Disconnect when tunnel is idle

Click this option to allow the device to delete an idle VPN session if it exceeds the specified idle session time interval.