Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 2 subscribers
  • Views 30324 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SG330 v9.315.12] - Outgoing S2S-IPSEC with additional adress

trialrider

Hi,

I want to use outgoing S2S-IPSEC on an additional address on my external interface beside existing outgoing S2S-IPSEC's on external address of external interface. Using a separate IP as  VPN ID doesn't work. What can I do to get this working? Or can I only use one way (ext. address or add. address) for outgoing S2S-IPSEC?
--
King redards, Steffen

(Hoping to understand the new board)



This thread was automatically locked due to age.
Parents
  • 0
    Steffen, I'm not sure I followed your solution post. Do I understand correctly that your problem was that you had used an object bound to the External interface in the UTM Remote Gateway definition. You're saying that the object violated #3 in www.astaro.org/.../49065-rulz.html - correct?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,

    I've 3 IFs on my 330. Int, Ext & Video. Doing it the way I always do for internal/external objects I bound the target network (end of VPN) on the external IF... Dumb way ;o)

    Now all works fine.
    --
    Greetings, Steffen
Reply Children
  • 0 in reply to trialrider

    I think I am having a similar problem to the OP. I am migrating from TMG to UTM and want to confirm that it is not possible to use an "additional address" as the "local interface" for a VPN tunnel endpoint.

    From the discussion above, it appears that I have to either change the IP address with our vpn partner or burn a second interface and more ports on the switch for the same subnet.

    Coming from TMG and WatchGuard, they both allow me to specify the local endpoint IP address. Of course I have found many more things to like about UTM, just some of these little differences are starting to slow the implementation.

  • 0 in reply to TimBoggs
    I was able to accomplish this by using a second physical interface with ip/32 and the gateway defined the same as the primary adapter. Under uplink balancing I set the secondary adapter with a weight of zero.

    This worked, but I did minimal testing before change the IP address on the primary adapter. I don't know if this would cause complications with other policies.
Unfiltered HTML