Remote work or VPN review in Sophos XG Firewall

Hello! This article will be devoted to an overview of the VPN functionality in the Sophos XG Firewall product. In the previous article, we discussed how to get this solution for protecting your home network for free with a full license. Today we are going to talk about the VPN functionality built into the Sophos XG. I will try to tell you what this product can do, and also give examples of configuring an IPSec Site-to-Site VPN and a custom SSL VPN. So let’s get down to the review.

First, let’s look at the licensing table:

You can read more about how the Sophos XG Firewall is licensed here:

But in this article, we will be interested only in those items that are highlighted in red.

The main VPN functionality is included in the basic license and is purchased only once. This is a lifetime license and does not require renewal. The Base VPN Options module includes:


  • IPSec VPN

Remote Access (client VPN):

  • IPsec Clientless VPN (with free custom app)
  • L2TP
  • PPTP

As you can see, all popular protocols and types of VPN connections are supported.

Also, there are two other types of VPN connections in Sophos XG Firewall that are not included in the basic subscription. They are RED VPN and HTML5 VPN. These VPN connections are included in the Network Protection subscription, which means that in order to use these types, you must have an active subscription, which also includes the network protection functionality – IPS and ATP modules.

RED VPN is a proprietary L2 VPN from Sophos. This type of VPN connection has several advantages over Site-to-site SSL or IPSec when setting up a VPN between two XGs. Unlike IPSec, RED tunnel creates a virtual interface at both ends of the tunnel, which helps with troubleshooting problems, and unlike SSL, this virtual interface is completely customizable. The administrator has full control over the subnet within the RED tunnel, making it easier to resolve routing issues and subnet conflicts.

HTML5 VPN or Clientless VPN – A specific type of VPN that allows services to be passed through HTML5 right in the browser. The types of services that can be configured:

  • RDP
  • Telnet
  • SSH
  • VNC
  • FTP
  • FTPS
  • SFTP
  • SMB

But it is worth considering that this type of VPN is used only in special cases and it is recommended, if possible, to use the VPN types from the lists above.


Let’s take a look at how to set up several of these tunnel types, namely Site-to-Site IPSec and SSL VPN Remote Access.

Site-to-Site IPSec VPN

Let’s start with how to set up a Site-to-Site IPSec VPN tunnel between two Sophos XG Firewalls. StrongSwan is used under the hood, which allows you to connect to any IPSec enabled router.

You can use a convenient and quick setup wizard, but we will follow the general path so that, based on this manual, you can combine Sophos XG with any equipment via IPSec.

Let’s open the policy settings window:

As we can see, there are already preset settings, but we will create our own.

Let’s configure the encryption settings for the first and second phases and save the policy. By analogy, we do the same on the second Sophos XG and proceed to setting up the IPSec tunnel itself

Enter the name, operating mode and configure the encryption parameters. For example, we will use Preshared Key

and indicate local and remote subnets.

Our connection is created

By analogy, we make the same settings on the second Sophos XG, with the exception of the operating mode, there we put Initiate the connection

We now have two tunnels configured. Next, we need to activate and run them. This is done very simply, you need to click on the red circle under the word Active to activate and on the red circle under Connection to start the connection.
If we see a picture like this:

This means that our tunnel is working correctly. If the second indicator is red or amber, then something was incorrectly configured in the encryption policies or local and remote subnets. Let me remind you that the settings must be mirrored.

Separately, I want to highlight that you can create Failover groups from IPSec tunnels for fault tolerance:

Remote Access SSL VPN

Let’s move on to Remote Access SSL VPN for Users. Standard OpenVPN is running under the hood. This allows users to connect through any client that supports .ovpn configuration files (such as the standard connection client).

First, you need to configure the OpenVPN server policies:

Specify transport for connection, configure port, range of ip addresses for connecting remote users

Also, you can specify the encryption settings.

After configuring the server, let’s start configuring client connections.

Each SSL VPN connection rule is created for a group or for an individual user. Each user can have only one connection policy. According to the settings, from an interesting point, for each such rule, you can specify how individual users, who will use this setting or a group from AD, you can enable a checkbox so that all traffic is wrapped in a VPN tunnel or specify the ip addresses, subnets or FQDNs available for users … Based on these policies, an .ovpn profile with settings for the client will be automatically created.

Using the user portal, the user can download both the .ovpn file with the settings for the VPN client and the VPN client installation file with the built-in connection settings file.


In this article, we briefly went over the VPN functionality in the Sophos XG Firewall product. We looked at how you can configure IPSec VPN and SSL VPN. This is not a complete list of what this solution can do. In the next articles I will try to review RED VPN and show how it looks in the solution itself.

Thank you for your time.

If you have any questions about the commercial version of XG Firewall, you can contact us – the company Group factor, Sophos distributor. It is enough to write in free form to

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *