Sophos XG 86 Firewall

Configure VPN on a Sophos XG 86 firewall

1. Retrieve the following network settings from your Sophos firewall's web interface: - WAN IP Address (or host name) - LAN Network
2. Under "Configure", select "Authentication" and go to the "Groups" tab. Here you can set up a new VPN user group: - For "Surfing Quota" choose "Unlimited Internet Access" - Under "Access time" determine when your group has access to the connection - For "Traffic Shaping", select "None"

3. Go to the "Users" tab and add a new user profile: - Create a username and password (you will need these in the next step!) - Under "Type", select "User" and choose a group.

4. Configure your connection: Go to "Configure", select "Remote Access VPN" and add a new IPSec connection: - Ensure "IPV4" is selected and check the box next to "Activate on Save". - For "Connection Type, select "Remote Access" - Encryption: Under "Policy" select "Default Policy" - Select Preshared Key and enter a secure password (you will need this in the next step!) - Gateway settings: For "Local ID Type", select "DNS" and enter a Local ID (e.g. Sophos) - For "Remote ID Type", select "DNS" again and enter your Remote ID (e.g. VPN Tracker) - Select "Any" for both the local and remote subnets.
5. Configure your firewall rules: Go to "Protect" and choose "Rules and Policies": - Rule 1 VPN to LAN: For "Action" select "Accept", Source Zones = VPN and Destination Zones = LAN. Under "Identity", uncheck "Match known users". Then, under "Advanced", go to "NAT & Routing" and uncheck "Rewrite source address (Masquerading)". Save your changes. - Rule 2 (optional) LAN to VPN: For "Action" select "Accept", Source Zones = LAN and Destination Zones = VPN. Under "Identity", uncheck "Match known users". Then, under "Advanced", go to "NAT & Routing" and uncheck "Rewrite source address (Masquerading)". Save your changes.