This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec interface on additional addresses

Is there still limitation in ASL3.2 that i can't add ipsec interfaces on additional ip addresses of NIC. Like 'interface ipsec4/eth1:1

If this is still impossible i'd like to know why. Is it limitation in ipsec, tcp/ip, linux implementation of tcp/ip, in implementation of ipsec (freeswan) or in astaro itself.

Is this going to ever work. I can't install more physical cards into my firewall because all slots are in use.

This thread was automatically locked due to age.

Parents

Louis-M over 9 years ago

Look how old this thread is......

14 years later, I'm asking the same question. I have a block of 16 IPv4's and was wondering how to select one of those instead of the primary WAN address.

I can't see where to select it for IPsec.
Cancel
Vote Up 0 Vote Down

Cancel
sachingurung over 9 years ago in reply to Louis-M

Hi Louis,

The feature is not supported in UTM, cast your votes here http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1690801-vpn-use-additional-ip-s-for-tunnels#comments.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
NathanRamsden-Lock over 8 years ago in reply to sachingurung

No one from SOPHOS has read that site or implemented an ideas on there in years. That one is 6 years old.
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 8 years ago in reply to NathanRamsden-Lock

I still don't understand why one would want to do this - what the benefit is.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
NathanRamsden-Lock over 8 years ago in reply to BAlfson

BAlfson said:

I still don't understand why one would want to do this - what the benefit is.

Cheers - Bob

Portability & clearer reporting.

if you have a lot of VPN's with large corporations, it takes a long time to get them to update their end. If it was on a separate IP the we could for example migrate other services over to say a new XG box without having to move all our services at once.
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 8 years ago in reply to NathanRamsden-Lock

Not trying to be combative, just trying to understand...

Portability: Can't you resolve that by configuring remote sites as "Respond only," the central site Remote Gateways as "Initiate connection" and making the change of device/IP in the central site? Just disable the IPsec Connection in the UTM and enable it in the XG.

Clearer reporting - how would an additional IP help there?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
NathanRamsden-Lock over 8 years ago in reply to BAlfson

BAlfson said:

Not trying to be combative, just trying to understand...

Understood, Bob you are the most helpful person on the forums and very much appreciated!

BAlfson said:

Portability: Can't you resolve that by configuring remote sites as "Respond only," the central site Remote Gateways as "Initiate connection" and making the change of device/IP in the central site? Just disable the IPsec Connection in the UTM and enable it in the XG.

Sorry, that reply went straight over my head if I am honest! These remote sites are not in my control, they are other different companies that we exchange data with.

BAlfson said:

Clearer reporting - how would an additional IP help there?

Reporting on that activity of that IP address would not be mixed up with all the other web surfing traffic & email.

Thanks for all your help.
Cancel
Vote Up 0 Vote Down

Cancel
BAlfson over 8 years ago in reply to NathanRamsden-Lock

Thanks, Nathan!

"These remote sites are not in my control, they are other different companies that we exchange data with."

Understood. As each of them changed their IPsec endpoint to accept "calls" ("Respond only") instead of also making them ("Initiate connection"), you could move your endpoint from the current UTM as I described with only a momentary loss of connection.

Traffic is tracked by IP, Service and Application. I don't see how having a separate IP for IPsec only could provide more granular information.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

BAlfson over 8 years ago in reply to NathanRamsden-Lock

Thanks, Nathan!

"These remote sites are not in my control, they are other different companies that we exchange data with."

Understood. As each of them changed their IPsec endpoint to accept "calls" ("Respond only") instead of also making them ("Initiate connection"), you could move your endpoint from the current UTM as I described with only a momentary loss of connection.

Traffic is tracked by IP, Service and Application. I don't see how having a separate IP for IPsec only could provide more granular information.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data