Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 26 subscribers
  • Views 3721 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a way to setup a ipsec tunnel between to xg firewalls if they are behind another router.

Christopher Moss

Hey Guys, i have a client that has 3 separate locations with modem/routers that they have told me cannot be removed (weird). So I have the xg's behind the routers. Is there a way to setup site to site vpn tunnel going through another router.



This thread was automatically locked due to age.
  • 0

    I am thinking I have to setup the main router (the one that can not be removed) into bridge mode. Any thoughts.

  • 0

    The easiest solution is to use SSL VPN Site-to-Sites instead of IPsec, Christopher.

    I haven't done this with XGs yet, but, based on what I know in XG and my experience with doing this in the UTM, the following should work.  If you try it, please come back with any issues or tell us I got lucky on my first try. ;-)

    You're right that IPsec VPNs need extra configuration when behind a NATting router.  The problem is that the encrypted packets are "signed" with the IP of the external interface and that the receiving VPN endpoint compares the signature to the source IP in the packet it receives.  If the XG has an IP of 172.16.17.2 and the edge router has 77.88.99.1, the receiving XG will reject the first encrypted packet.  To get the right IDs on the packets, you need to use RSA keys (preferred) or PSKs.  You then can select, for our example, 77.88.99.1 as the ID of type "IP Address."  Unless you make the example XG "Respond only," you will also need the public IP of the other side as the remote IP.  Obviously both sides cannot be "Respond only" gateways.

    Cheers - Bob