Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 967 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allowing IPSec Site-To-Site on Additional address

John Czereszko

I have found this to be a common question with regards to setting up the Site to Site VPN. I am using Sophos UTM v9.705-3 and I have not found an answer as to whether or not this is possible.  The scenario we have is this:

Main site (Site A) has dedicated Ethernet connection with WAN configured as: (Actual IPs not shown)

Layer 3 IP: 1.2.3.4

Layer 3 Subnet: x.x.x.x

WAN Gateway: 1.2.3.3

I have created Additional addresses which are the customer's usable LAN Block and these are tied to the WAN interface. (i.e. 2.2.2.1-2.2.2.6)

When I create the Site to Site remote gateway and use one of the IPs in the LAN usable range (i.e. 2.2.2.1) it does not connect. If I use the WAN Layer 3 IP of 1.2.3.4 it does. In a case where the remote site (Site B) needs an IP address for the main site it is connecting to I need to give them one of the customer's IPs in the LAN block to whitelist traffic. Also, Site A is initiating the connection and Site B is responding.

This scenario worked when the customer had internet service that included a router but I am not sure how this is suppose to work with the dedicated Ethernet service they have now which does not have a router.  Any help would be appreciated!



This thread was automatically locked due to age.
Parents
  • 0

    Hello John,

    Thank you for contacting the Sophos Community!

    Where does the IPsec terminate when your customer had the other router? 

    The way you are setting up I don't think it will work, you would need the L3 IP or Public IP to connect the tunnel.

    I am not sure what the other side is trying to say, but it is not the Local Network you set in the UTM the ones they want to allow access to their network?

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Thanks for responding. I called into support to have them look at this and he agreed that we should be able to initiate the connection from main site using one of the public LAN IPs in this dedicated Ethernet scenario. It would seem as though it’s a private IP but it’s just a point to point Ethernet and we are using the Sophos UTM to route traffic. What the customer on the remote site is expecting is that they see the traffic coming from one of the assigned public IPs and they whitelist this IP. The Sophos engineer remoted into our systems to look at what we had and ran some test with Putty and saw that there was no response from the remote test site, therefore no connection using one of the other assignable static IPs. He is currently looking into this and I will update this forum with the outcome.

Reply
  • 0 in reply to emmosophos

    Thanks for responding. I called into support to have them look at this and he agreed that we should be able to initiate the connection from main site using one of the public LAN IPs in this dedicated Ethernet scenario. It would seem as though it’s a private IP but it’s just a point to point Ethernet and we are using the Sophos UTM to route traffic. What the customer on the remote site is expecting is that they see the traffic coming from one of the assigned public IPs and they whitelist this IP. The Sophos engineer remoted into our systems to look at what we had and ran some test with Putty and saw that there was no response from the remote test site, therefore no connection using one of the other assignable static IPs. He is currently looking into this and I will update this forum with the outcome.

Children
No Data
Unfiltered HTML