Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 5551 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Two respond only IPSEC

aza2001
Hi,

From what I have been reading, and also some configuration attempts there seems to be no way to get a couple of "respond only" IPSEC tunnels working?

Has anyone got any idea's on how I maybe able to get these working?

Reason being said is that the end points I am trying to hit are behind a NAT that I can't get port forwarding through (long story)


any help would be appreciated [:)]

Cheers,
Aza


This thread was automatically locked due to age.
  • 0
    sorry forgot to mention this is a site to site tunnel
  • 0
    Aza, if both endpoints are behind a NATting router, this will be more difficult as you can't have both ends defined as "Respond only."  Or, is this one central site with two remote locations where the central site has a public IP and you want to connect the central sites to two remote sites?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    okay let me clarify.

    5 sites (including primary)

    primary has a couple of ipsec initiate connections working fine.

    just need to add two more where the UTMs are behind a NAT and can't do any port forwarding.

    So I need two "respond only" connections.

    but the UTM from what I can tell will only do one "respond only"
  • 0
    I don't know if having different PSKs and checking 'Enable probing of preshared keys' on the 'Advanced' tab will let you have more than one "Respond only" Remote Gateway - have you tried that?

    If that doesn't work, you likely will need to use X509 certificates instead of PSKs.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I don't know if having different PSKs and checking 'Enable probing of preshared keys' on the 'Advanced' tab will let you have more than one "Respond only" Remote Gateway - have you tried that?  If that doesn't work, you likely will need to use X509 certificates instead of PSKs.  Cheers - Bob
      

    Nope but I should have some time tonight to test [:)]
  • 0
    okay so I changed a couple over to this setup with RSA and while it works on some, i noticed that it "may" require some ports forwarded on the initiate side...

    Another issue which has arisen is that when the public IP changes on the IPSEC with RSA, it does not always reconnect as it keeps expecting a response from the "old" IP address not the new one.

    This requires me to go in and force stop and start that particular link which then brings it back online.
  • 0
    Yes, but does this happen when all IPs are fixed?  If so, then have you defined Interface Groups?

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML