Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 18058 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec interface on additional addresses

grimphyre

Is there still limitation in ASL3.2 that i can't add ipsec interfaces on additional ip addresses of NIC. Like 'interface ipsec4/eth1:1

If this is still impossible i'd like to know why. Is it limitation in ipsec, tcp/ip, linux implementation of tcp/ip, in implementation of ipsec (freeswan) or in astaro itself.

Is this going to ever work. I can't install more physical cards into my firewall because all slots are in use.



This thread was automatically locked due to age.
Parents

  • Look how old this thread is......

    14 years later, I'm asking the same question. I have a block of 16 IPv4's and was wondering how to select one of those instead of the primary WAN address. 

    I can't see where to select it for IPsec. 

  • in reply to Louis-M

    Hi Louis,

    The feature is not supported in UTM, cast your votes here http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1690801-vpn-use-additional-ip-s-for-tunnels#comments.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • in reply to sachingurung

    No one from SOPHOS has read that site or implemented an ideas on there in years.  That one is 6 years old.

  • in reply to NathanRamsden-Lock

    I still don't understand why one would want to do this - what the benefit is.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    BAlfson said:

    I still don't understand why one would want to do this - what the benefit is.

    Cheers - Bob

     

     
    Portability & clearer reporting.
    if you have a lot of VPN's with large corporations, it takes a long time to get them to update their end. If it was on a separate IP the we could for example migrate other services over to say a new XG box without having to move all our services at once.
  • in reply to NathanRamsden-Lock

    Not trying to be combative, just trying to understand...

    Portability: Can't you resolve that by configuring remote sites as "Respond only," the central site Remote Gateways as "Initiate connection" and making the change of device/IP in the central site?  Just disable the IPsec Connection in the UTM and enable it in the XG.

    Clearer reporting - how would an additional IP help there?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • in reply to BAlfson

    BAlfson said:

    Not trying to be combative, just trying to understand...

    Understood, Bob you are the most helpful person on the forums and very much appreciated!

    BAlfson said:

    Portability: Can't you resolve that by configuring remote sites as "Respond only," the central site Remote Gateways as "Initiate connection" and making the change of device/IP in the central site?  Just disable the IPsec Connection in the UTM and enable it in the XG.

    Sorry, that reply went straight over my head if I am honest! These remote sites are not in my control, they are other different companies that we exchange data with.  

    BAlfson said:

    Clearer reporting - how would an additional IP help there?

    Reporting on that activity of that IP address  would not be mixed up with all the other web surfing traffic & email.

    Thanks for all your help.

  • in reply to NathanRamsden-Lock

    Thanks, Nathan!

    "These remote sites are not in my control, they are other different companies that we exchange data with."

    Understood.  As each of them changed their IPsec endpoint to accept "calls" ("Respond only") instead of also making them ("Initiate connection"), you could move your endpoint from the current UTM as I described with only a momentary loss of connection.

    Traffic is tracked by IP, Service and Application.  I don't see how having a separate IP for IPsec only could provide more granular information.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • in reply to NathanRamsden-Lock

    Thanks, Nathan!

    "These remote sites are not in my control, they are other different companies that we exchange data with."

    Understood.  As each of them changed their IPsec endpoint to accept "calls" ("Respond only") instead of also making them ("Initiate connection"), you could move your endpoint from the current UTM as I described with only a momentary loss of connection.

    Traffic is tracked by IP, Service and Application.  I don't see how having a separate IP for IPsec only could provide more granular information.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML