Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 799 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC S2S VPN behind external firewall

BobG
Currently running our 30+ IP-SEC VPN’s to 3rd party vendor networks using a Symantec 5420 Gateway Security appliance running v3.0.1 code which has not been supported for seven years now.  

Have an exist Astaro/Sophos software UTM running on a Symantec 5460 box used connect to partner via MPLS fiber connection.  Just updated the Astaro ASG v8.3 (Symantec5460 box) to Sophos UTM v9.1.  Want to migrate all VPN tunnels to Sophos v9.1.  

On Sophos UTM, created the first new VPN to a new vendor running a Cisco ASA 55xx box.  He can initiate a VPN connection by pinging my host however we can bring up the tunnel on our side when we ping his host.  

Could not initiate a IP-SEC tunnel with to their remote peer.  Phase 1 was failing because the Sophos UTM is behind our external Internet firewall.


Traffic flow to remote site 
------------------------------------
MyHosts -->  [192.168.1.12_SophosUTM_10.2.3.12]  -->  DMZ-10.2.3.0 -->  [10.2.3.1_EcessaFW_64.1.2.2]  -->  Internet  --> [12.15.15.10_3rdPartyASA] --> 3rdPartyHosts.

Initiate connection to 3rd Party
---------------------------------------
VPN LocalPeers:     64.1.2.2
VPN RemotePeer:   12.15.15.10 
VPN LeftID:           10.2.3.12  


This thread was automatically locked due to age.
Parents
  • 0
    Hi, Bob, and a belated welcome to the User BB!

    Outside of the developers participating in the beta forums, no Sophos/Astaro employee is paid to monitor or post here.

    Since the hospital has a paid subscription, you should have your reseller open a ticket with Sophos Support to make the change(s) at the command line needed to get leftid="64.1.2.2" placed into your IPsec.conf-default.  Member Coewar posted the solution here two years ago: https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/54446

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Hi, Bob, and a belated welcome to the User BB!

    Outside of the developers participating in the beta forums, no Sophos/Astaro employee is paid to monitor or post here.

    Since the hospital has a paid subscription, you should have your reseller open a ticket with Sophos Support to make the change(s) at the command line needed to get leftid="64.1.2.2" placed into your IPsec.conf-default.  Member Coewar posted the solution here two years ago: https://community.sophos.com/products/unified-threat-management/astaroorg/f/58/t/54446

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML