Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 28 subscribers
  • Views 8346 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN both locations behind ISP Router

Mark Darvell

Hi All,

In a few days i will be deploying a IPSEC between two sites, both sites will have Sophos XG Firewalls but they both sit behind a router managed by the ISP.
From what i can see online i would need to port forward ports 500 and 4500 UDP from the ISP Router to the IP of the XG (WAN SIDE) so from what i can see it would look like the following

 

Head Office 

     WAN IP               ISP Router Internal         Sophos IP Get's from ISP Router           Sophos Internal LAN Connected to LAN Port 
203.xxx.xxx.xxx - ISP Router 192.168.0.1- Sophos XG WAN SIDE 192.168.0.10 | Sophos XG LAN SIDE 172.16.16.254 
Ask ISP to forward port 500 and 4500 UDP to 192.168.0.10 

 

 

Branch Office  

     WAN IP               ISP Router Internal         Sophos IP Get's from ISP Router           Sophos Internal LAN Connected to LAN Port 
203.xxx.xxx.xxx - ISP Router 192.168.1.1- Sophos XG WAN SIDE 192.168.1.10 | Sophos XG LAN SIDE 172.17.16.254 
Ask ISP to forward port 500 and 4500 UDP to 192.168.1.10 

 

 

And yes i know it would be ideal to run the XG as an edge device but not possible right now.



This thread was automatically locked due to age.
  • 0

    I've recently had to do this at one of my remote sites. The "quick and dirty" solution for me was:

    1. Assign the XG a static IP behind the ISP router (eg 192.168.1.1)
    2. Assign that IP as the DMZ destination for the ISP router (thereby forwarding all ports)
    3. When setting up the IPSEC VPN on the head office side, I specified the ISP WAN IP as the destination and the XG's DMZ IP (192.168.1.1) as the "Remote Identifier" (or whatever it's called)
    4. VPN worked successfully

    In your case both the head office IPSEC config AND the remote IPSEC config will require "Remote Identifier" to be specified

  • 0 in reply to Benjamin Chennells-Webb

    I too have setup a similar network with the WAN as a private IP using the modems DMZ feature as suggested by Benjamin, but with a  SSL site-to-site using the ddns host names.  I prefer SSL vpn over ipsec cause they are so easy to setup.  Either or works.

    :)

    AT