Remote access VPN IPsec - Gateway/Address in SCX/Provisioning file

Hi Jeff Yankowski Thank you for reaching out to the Sophos community team. Based on shared details it seems you are looking for a quite similar option with Remote access IPsec VPN which is available with Remote access SSL VPN with the setting called "Override hostname".

Unfortunately on the GUI as of now no such settings or options are there to define the hostname to push it in an automated way in the config file of Remote access IPSec VPN. Yes, manual options are there for which you are already aware of how to use it by editing SCX or Provisioning file.

You can submit your Feature Request using the in-product feedback in the Sophos Firewall located in the Top Menu Bar.



You can also log a support case to raise a feature request which you can track it later with your account manager/local sales presentative or TAM.

Thanks Vishal. It's a shame that this feature isn't available, it seems like something that would an easy change.

Two follow up questions:

1. As far as the provisioning file goes (since you mentioned it), is there anything I can do in the provisioning file to override this? I'm assuming not since it sounds like it effectively just downloads the SCX file from the firewall?

2. Is there any config I could edit at the console level to change the SCX file present on the firewall? I understand that any changes to the IPSEC VPN configuration would likely overwrite any manual changes made, however we don't change this often and I'd be OK with accepting that as a step needed if we made any future changes.

Hi Jeff Yankowski  1) The provisioning file is not downloadable from XG, One needs to manually create it based on the defined template by giving a .pro extension of that file. (template details available in below help section).

Based on the .pro file settings, the client only connects to the VPN portal and automatically imports the remote access SSL VPN (.ovpn) file corresponding to the user and the remote access IPsec (.scx) file into the Sophos Connect client.

So, the "gateway" settings defined under "Provisioning file settings" only mean to be used to connect the VPN portal of XG to fetch the settings of the respective VPN config file.

Once settings are fetched for remote access SSL VPN or remote access IPsec via VPN portal, Sophos connect client going to use the defined Gateway or IP settings for this respective connection as per their defined UI settings(i.e. For remote access IPsec Interface defined on XG UI under IPsec and for remote access SSL VPN all WAN interface if there is no Override hostname manually defined under SSL VPN global settings).

Template info - https://doc.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/RemoteAccessVPN/IPsecSSL/SophosConnect/RAVPNSConProvisioningFile/index.html#templates

2) .scx file contains both general and advanced settings. Advanced settings are already manageable from the GUI itself.

However benefit of the provisioning file is that it automatically imports any configuration changes you make later. (i.e. the way the user needs to reimport the updated SCX file to get the latest changes that will not be the case here with the provisioning file).

Benefits are mentioned in the same help link shared above.

Hi Vishal. Makes sense, that's what I thought it'd do. Currently we use an SCX file and distribute it manually whenever there is an update, this is why we were hoping to switch to a provisioning file instead. However, without a way to modify the gateway value it will be a showstopper for us as the IPSEC VPN config will simply not connect without the appropriate change. I'll raise a feedback request for this.

Is the generated SCX file stored on the firewall somewhere that the CLI console has access to? I understand that this wouldn't be officially supported, but I'm curious if the generated SCX could be modified through the CLI console manually so that when the provisioning file pulls it down it contains a modified gateway. Beyond this kind of trick, I'll have to wait for Sophos to take up this request.

Hello, Jeff.
I sympathize with you, but if you allow, I'll leave my two cents as a suggestion for your case.
To reduce this need for file configuration, you can change technology. Use SSL VPN.

In the SSL VPN settings you have the "hostname override". In this option you replace any addressing in the file.
Disadvantage that you can only enter one IP address or DNS.
If there is not more than one link, you can use it this way.

If there are two links, it is better to use the provisioning file.

If I'm not mistaken, when you use the provisioning file for SSL VPN, it overrides the SSL VPN configuration file values to which it was set in the provisioning gateway key.

Hello, Jeff.
I sympathize with you, but if you allow, I'll leave my two cents as a suggestion for your case.
To reduce this need for file configuration, you can change technology. Use SSL VPN.

In the SSL VPN settings you have the "hostname override". In this option you replace any addressing in the file.
Disadvantage that you can only enter one IP address or DNS.
If there is not more than one link, you can use it this way.

If there are two links, it is better to use the provisioning file.

If I'm not mistaken, when you use the provisioning file for SSL VPN, it overrides the SSL VPN configuration file values to which it was set in the provisioning gateway key.

Hi Hugo. I appreciate your input. This was another thought that I had. Initially we had introduced the IPSEC VPN because some users were experiencing slowness and disconnect issues with the SSL VPN (might be because it was configured as tcp instead of udp) and the IPSEC VPN seemed to perform better for them. As a result now we have some users on SSL and some on IPSEC.

We are in the process of also implementing MFA on the VPN, which has raised the need for us to change the rekey time for the IPSEC VPN as it is only around 4 hours by default. Since this will require a redeployment anyway, maybe I will use that as an opportunity to remove IPSEC and change SSL VPN to UDP via a provisioning file. Always a risky gambit if things don't go well as it could inconvenience users, but it's a risk I may have to take.