Register Now


Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

How To Configure And Manage Access points Over IPSEC VPN Connection

In this article we will understand how to manage branch office firewall access points through head office access firewall when both firewalls are connected through IPSEC VPN connection.

Before you follow this article make sure you have configured VPN and it is active.

Since you are not managing access point turn of wireless protection on branch office, you can disable wireless protection under wireless >> wireless settings.

Wireless settings

Please look into this below snapshot for understanding network diagram

network diagram
Network Diagram

Branch Office Configuration:

  1. Disable the wireless protection under wireless >> wireless settings
  2. Create a DHCP server in branch office firewall under network >> DHCP
BO DHCP configuration

As soon as access point gets the IP address from the Sophos firewall, access point will try to connect to sophos firewall on ““. So here in this case access point first will hit the branch office firewall, we need to forward the request to head office firewall.

This is done by configuring DHCP option code 234 (magic IP) for the interface where AP is connected to.

Connect to branch office firewall CLI, you can use following article for the same:


Then select Device Console option(4) from the list of options and execute the below the command:

system dhcp dhcp-options add optioncode 234 optionname dhcp_magic_ip optiontype ipaddress

The above command will add DHCP option code 234 in the firewall.

Now we need to apply this DHCP option code 234 to the DHCP server we created in the firewall by entering this command:

system dhcp dhcp-options binding add dhcpname <DHCP NAME> optionname dhcp_magic_ip(234) value <HO-FW-LAN-IP>

As per the above network diagram, command should be:

system dhcp dhcp-options binding add dhcpname testdhcp optionname dhcp_magic_ip(234) value

Now connect the access point to sophos XG firewall, check if it getting IP address from the branch office firewall. Once it receive the IP address from the branch office firewall, access point will try to access “” IP address and requests will be forwarded to head office firewall for connecting.

Configuring Firewall Rules:

Now we need to configure firewall rules in both firewalls to allow traffic from one firewall network to another firewall network. Please look into below screenshot, i have kept source network and destination network as “ANY” you can keep selected networks to allow them through the firewall.

Firewall rules
Firewall Rule

Head Office Firewall Configuration:

  1. Configure IPSEC route in head office firewall to reach branch office firewall. Login to sophos XG firewall CLI, select option (4) Device console and then execute the below command:

system ipsec_route add net <destination network> tunnelname <tunnel name>

Example: system ipsec_route add net tunnelname HO_to_BO

2. You can verify whether command is properly executed or not by executing this below command:

system ipsec_route show

3. Create source NAT policy in head office firewall to reach remote branch office network with head office LAN interface IP address. Execute the below command:

set advanced-firewall sys-traffic-nat add destination netmask snatip

4. Enable wireless protection on VPN zone, because access points are connected in branch office firewall which is connected through VPN.

wirless zone enable
Wireless zone

5. Add both VPN to LAN and LAN to VPN firewall rule on the firewall to allow the traffic in head office firewall.

Now you can check access points will be shown under wireless >> access points section.

Access points will be listed.

Hope this article helps you.