Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 2767 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC site to site VPN use additional IP rather than external WAN IP

Chuckak

Why can I not select other IP addresses on the External Interface when editing the IPSEC site to site VPN.  Only choice is whatever the External WAN interface is assigned to.

This is a major issue for me.

SG 230 in HA running 9.410-6



This thread was automatically locked due to age.
  • 0

    A workaround for me would be allowing change to another IP address of the outbound SMTP that only binds to the main External Interface IP

  • 0 in reply to Chuckak

    Chuck,

    Without some extra effort in the configuration, doing this would "break" IPsec as the first message after "initiating Main Mode" is signed with the sending IP.  If you want to SNAT IPsec traffic from a different IP, you will need to complete the 'Preshared Key Settings' on the 'Advanced' tab, giving the new IP as the 'VPN ID'.

    I agree that the preferred solution would be to SNAT the SMTP traffic after changing "External (Address)" to the IP you want to use with IPsec.  This also lets you use certificates instead of a PSK - much more secure: How to create an X509 key based Site-to-Site VPN

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML