Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 2 subscribers
  • Views 30315 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SG330 v9.315.12] - Outgoing S2S-IPSEC with additional adress

trialrider

Hi,

I want to use outgoing S2S-IPSEC on an additional address on my external interface beside existing outgoing S2S-IPSEC's on external address of external interface. Using a separate IP as  VPN ID doesn't work. What can I do to get this working? Or can I only use one way (ext. address or add. address) for outgoing S2S-IPSEC?
--
King redards, Steffen

(Hoping to understand the new board)



This thread was automatically locked due to age.
  • 0 in reply to /dev/nul

    Hi, yes I tried. But I couldn't see any difference. My SNAT looks like:

    Traffic selector: External (add.) => Any => Gateway IP
    Source translation: External (add. addr.)
    Auto FW rule: no
    Rule applies to IPsec: yes
    Initial packets: yes

    Log says no main mode and established connection via quick mode.

    My gateway looks like:

    GW type: Initiate connection

    GW: Gateway IP

    Auth: PSK

    VPN ID type: IP address

    VPN ID (optional): <blank>

    Remote network: internal network on VPN side

    No advanced options

    My connection is set like this:

    Remote GW: like defined above

    Local interface: External

    Policy: defined under Policies

    Loc. networks: my lan object

    No other options

  • 0
    Hi, Steffen, it's good to see you here!

    The SNAT is needed on side #1 to send from a different IP. On side #2, you have to use the primary interface address of side #1 as the VPN ID.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    let me see if I'm right:

    side #1 - my side, real external address = .14, additional address = .16
    side #2 - target side

    Here I've set a SNAT like above: from real external address to gateway IP change source to add. address.

    The Problem is I told the side #2 admin, I'll come from additional address. I think it's possible to switch to VPN from real ext. address, but I would like to use a several "channel".

    Do I need a second rule for traffic to target? UTM says local net to target net and client established in quick mode. No automatic firewall rules. I set a firewall rule for my client for any traffic to both (net, client) but nothing shown in live log...
    --
    Kind regards, Steffen
  • 0
    You have to bind the connection to an interface.
    I use a second interface of my UTM with the additional address linked.
    Works as wanted.
  • 0 in reply to trialrider
    Solution: the target network should not bind to an interface. It's true, it's behind external interface, but not connected to them. Only via tunnel... So I can see my packets using my firewall rule client -> any -> target net.
    --
    Cheers, Steffen
  • 0 in reply to papa_
    I use both: additional addresses on external interface and on other interfaces. It works for other topics, and I think now for this too.
    --
    Steffen
  • 0
    Steffen, I'm not sure I followed your solution post. Do I understand correctly that your problem was that you had used an object bound to the External interface in the UTM Remote Gateway definition. You're saying that the object violated #3 in www.astaro.org/.../49065-rulz.html - correct?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    I've 3 IFs on my 330. Int, Ext & Video. Doing it the way I always do for internal/external objects I bound the target network (end of VPN) on the external IF... Dumb way ;o)

    Now all works fine.
    --
    Greetings, Steffen
  • 0 in reply to trialrider

    I think I am having a similar problem to the OP. I am migrating from TMG to UTM and want to confirm that it is not possible to use an "additional address" as the "local interface" for a VPN tunnel endpoint.

    From the discussion above, it appears that I have to either change the IP address with our vpn partner or burn a second interface and more ports on the switch for the same subnet.

    Coming from TMG and WatchGuard, they both allow me to specify the local endpoint IP address. Of course I have found many more things to like about UTM, just some of these little differences are starting to slow the implementation.

Unfiltered HTML