This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is an IPSec Host to Host VPN Possible with Virtual IP Gateway Address

Hi

I have a Sophos UTM 9 which I need to setup a Site to site VPN with another site and they want to use private addressing to establish the tunnel.
I've run out of interfaces on the UTM, and I created an additional address on the eth1 using the gateway address they want to use (10.250.50.A).

Is it possible to setup Site to site using an additional address on eth1? After setting up the tunnel the SA and the VPN ID both show the primary Public address of eth1 (4.2.2.50) and not the additional address I had setup for this (10.250.50.A).

SA: 192.168.2.X/32=4.2.2.50 10.250.50.B=172.1.1.37/32
VPN ID: 4.2.2.50

Thanks for any advice!

This thread was automatically locked due to age.

Parents

0 apijnappels over 10 years ago

If i'm correctly interpreting your post what you have to do is to make sure that the IP-address you send out to the other party is not your own internal subnet but they want your traffic to always come from 10.250.50.42.

You can achieve this by setting 10.250.50.42/32 as your local subnet (only allowing this 1 IP-address).
You would also need to create the following SNAT rule:

Internal (network) -> any -> External subnet where your source has to be NATTED to 10.250.50.42

You cannot hide your real external IP, because this is simply one end of the tunnel, but you can hide your own internal IP-range and use the provided addres for this using SNAT.
I have a similar connection in place for connecting to one of our customers.

Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Cancel
Vote Up 0 Vote Down

Cancel
0 JeetJ over 9 years ago in reply to apijnappels

Hello Guys ,

Was just wondering in the User BB searching a hint to my problem and ran into this post , which looks a bit similar to my problem.
In-charges/admins to kindly attach this post to a relevant one if not relevant here.

So... here the scenario.

We have our office with Sophos SG125 and we have a couple of testing machines from the vendor owned by us in our network.
Vendor has a support center wherein via VPN they provide support,maintenance and upgrades for these testing machine.

Following are the VPN requirements :

Vendor wants to connect to machines at our premises via VPN , but via a NATTING , so that our internal LAN range is not revealed to them, they provide this to every customer.

My LAN Network : 192.168.50.0/24
NW given by Vendor for NATTING: 10.28.4.200/29
I have to use to IPs from above network for my 2 machines.

192.168.50.a to be NATTED to 10.28.4.202 (for eg)
192.168.50.b to be NATTED to 10.28.4.203 (for eg)

Configurations :
Hence I have done the following :

As above I have created an SNAT and a DNAT for my each machine.

DNAT :

Traffic From : Vendor Gateway
Using service : Certain Ports
Going to : 10.28.4.202 (as above)
Change Destination to : 192.168.50.a

SNAT :

Traffic From : 192.168.50.a
Using Service : Certain Ports
Going to : Vendor Gateway
Change Source to : 10.28.4.202

Similarly for other machine.

IPSEC VPN Config :

Remote Gateway :

Gateway : Vendor Gateway
Remote Networks : Vendor Network

IPSec Connection :

Remote Gateway : As above
Local Interface : My_WAN

Local Networks : 10.28.4.200/29

Good part :
Tunnel is working fine , connection established

Bad part :

Traffic can go outside but cannot come in.
The vendor is not able to access network (10.28.4.200/29).

Any insight on the above ???????????

[:S]

Regards,

Jeet J

Network Administrator

Sophos UTM SG 450,Sophos UTM SG 125 x 6, Sophos SEC,Sophos AP
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 JeetJ over 9 years ago in reply to apijnappels

Hello Guys ,

Was just wondering in the User BB searching a hint to my problem and ran into this post , which looks a bit similar to my problem.
In-charges/admins to kindly attach this post to a relevant one if not relevant here.

So... here the scenario.

We have our office with Sophos SG125 and we have a couple of testing machines from the vendor owned by us in our network.
Vendor has a support center wherein via VPN they provide support,maintenance and upgrades for these testing machine.

Following are the VPN requirements :

Vendor wants to connect to machines at our premises via VPN , but via a NATTING , so that our internal LAN range is not revealed to them, they provide this to every customer.

My LAN Network : 192.168.50.0/24
NW given by Vendor for NATTING: 10.28.4.200/29
I have to use to IPs from above network for my 2 machines.

192.168.50.a to be NATTED to 10.28.4.202 (for eg)
192.168.50.b to be NATTED to 10.28.4.203 (for eg)

Configurations :
Hence I have done the following :

As above I have created an SNAT and a DNAT for my each machine.

DNAT :

Traffic From : Vendor Gateway
Using service : Certain Ports
Going to : 10.28.4.202 (as above)
Change Destination to : 192.168.50.a

SNAT :

Traffic From : 192.168.50.a
Using Service : Certain Ports
Going to : Vendor Gateway
Change Source to : 10.28.4.202

Similarly for other machine.

IPSEC VPN Config :

Remote Gateway :

Gateway : Vendor Gateway
Remote Networks : Vendor Network

IPSec Connection :

Remote Gateway : As above
Local Interface : My_WAN

Local Networks : 10.28.4.200/29

Good part :
Tunnel is working fine , connection established

Bad part :

Traffic can go outside but cannot come in.
The vendor is not able to access network (10.28.4.200/29).

Any insight on the above ???????????

[:S]

Regards,

Jeet J

Network Administrator

Sophos UTM SG 450,Sophos UTM SG 125 x 6, Sophos SEC,Sophos AP
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data