Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1044 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN - Bridged WAN

Ben Newall2

.Ahoy!

I have a customer who has an XG230. Port 6 (Eth) and Port 7 (Fibre) are bridged. The fibre from the 'leased line' modem is connected to port 7. Another company in their building is connected to port 6. This allows both companies to share the same internet connection, both with their own public IP configurations.

This has worked fine for years...

However, my client is now implement SAP hosted in AWS and there is a requirement for an IPSEC site-site VPN with AWS. I have been following this guide - Sophos XG Firewall v18 to AWS VPN Gateway IPSEC Connection - Recommended Reads - Sophos (XG) Firewall - Sophos Community

My problem is that when I go to select the local interface to listen on (WAN), there are no options to choose from, no interfaces available!

I read somewhere that apparently this is just a Sophos XG limitation and I can't use a bridged interface for an IPSEC site-site VPN?! Is this correct?

If so, I was wondering of a possible workaround...

Can somebody let me know if the following would work?

Can I remove the IPV4 configuration from my bridge (effectively turning my bridge into an unmanaged switch), add another port into the bridge (say eth port 5?) Then setup eth port 4 as my WAN and patch port4 into port5? (Loopback).

This in theory should allow port 5,6 and 7 (2 x eth, 1 x fibre) to be an unmanaged switch with no IP configuration (the same as if I had a separate network switch). Port 4 would be my main WAN and would simply plug into this 'virtual switch' ?

I am trying to avoid having to buy a £200+ switch with SFP port.

Cheers!



This thread was automatically locked due to age.
  • 0

    I forgot to mention, the reason I am asking (and not just testing myself) is because this client is 3 hours away by car so if something goes wrong I would have to drive out there. 

  • 0 in reply to Ben Newall2

    For your first question, It's not possible to use bridge interface as ipsec gateway.

    You could remove your wan interface from bridge and set its ip configuration on dedicated physical interface. also bridge interface must have an ip address and this ip address should be default gateway for connected networks. you cannot create a bridge interface without ip. routing option on bridge interface should be enabled and you cannot do this from same wan connection. As soon as removing wan interface from bridge, your connectivity will be lost and you will not access to device. My suggestion is accessing device locally or using some sort of another wan connection to manage this change. Also I do not completely understand why you need bridge interface in the first place. You can connect each network to one interface of firewall and route their want traffic to firewall.

  • 0 in reply to Mojtaba Roustaei

    Hey

    Thanks for replying. I sub-contracted a local IT guy to go to site, I then remotely controlled his laptop via 4G/cellular connection whilst he was patched in. In the end the customer that shared this internet connection had apparently left months ago so no sharing was required. I simply deleted the bridge and returned to having a single interface WAN. IPSEC now setup and working.

    The reason I suggested removing the IP configuration from the bridge is because there was a tick box to disabled IPV4? What is that for then? 

    The reason it was set up as a bridge in the first place is because we had only 1 port available on the leased line modem but needed to connect 2 separate firewalls. Ultimately what we really needed was a spare switch, but we didn't have one available so we improvised.

    By bridging fibre port 7 and eth port 6 we effectively enabled the 2nd company/firewall to bypass the XG and get internet from the leased line modem with their own public IP configuration. They did not have to use the XG as default gateway.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?