Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 2 subscribers
  • Views 30319 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SG330 v9.315.12] - Outgoing S2S-IPSEC with additional adress

trialrider

Hi,

I want to use outgoing S2S-IPSEC on an additional address on my external interface beside existing outgoing S2S-IPSEC's on external address of external interface. Using a separate IP as  VPN ID doesn't work. What can I do to get this working? Or can I only use one way (ext. address or add. address) for outgoing S2S-IPSEC?
--
King redards, Steffen

(Hoping to understand the new board)



This thread was automatically locked due to age.
Parents
  • 0
    Hi, Steffen, it's good to see you here!

    The SNAT is needed on side #1 to send from a different IP. On side #2, you have to use the primary interface address of side #1 as the VPN ID.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    let me see if I'm right:

    side #1 - my side, real external address = .14, additional address = .16
    side #2 - target side

    Here I've set a SNAT like above: from real external address to gateway IP change source to add. address.

    The Problem is I told the side #2 admin, I'll come from additional address. I think it's possible to switch to VPN from real ext. address, but I would like to use a several "channel".

    Do I need a second rule for traffic to target? UTM says local net to target net and client established in quick mode. No automatic firewall rules. I set a firewall rule for my client for any traffic to both (net, client) but nothing shown in live log...
    --
    Kind regards, Steffen
  • 0 in reply to trialrider
    Solution: the target network should not bind to an interface. It's true, it's behind external interface, but not connected to them. Only via tunnel... So I can see my packets using my firewall rule client -> any -> target net.
    --
    Cheers, Steffen
Reply Children
No Data
Unfiltered HTML