This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Comcast Metro E Fiber connection using additional IP addresses and Multiple IPSEC point to point connections

Two Sophos SG 230 in Active Passive HA.

Switching from Comcast cable modem to Comcast fiber connection.  Comcast only provides one Ethernet port on their Siena device for the new fiber connection.

Sophos support suggested installing an unmanaged switch between the Sienna and the two WAN ports on the SG 230s to provide two ports.  (Now I have a $40 switch carrying all the services for a $75M company)

Comcast requires Setting the WAN port to the xxx.xxx.xxx.6 and the gateway to x.5 and then L3 routing the public IP LAN block /29 network with 5 useable public IPs through this IP assignment.

Support said just add the public IPs as additional IPs on the WAN interface.  This got my Internet access and webserver access working on one of the IP addresses.

I intend on using the other 4 addresses as follows, one for the users remote access, one for the Exchange services and one for each IPSEC tunnel.  However I am unable to setup IPSEC point to point tunnels as I cannot attach to the alternate IP addresses only the interface itself.

How do I fix this?

I currently have only one IPSEC tunnel (will soon have a second one) and it is on the external WAN connection as I could not use the additional IP addresses on that one either.



This thread was automatically locked due to age.
  • Hey Chuck,

    I think I'd mount a backup switch next to that $40 one! ;-)

    I'm not sure what you hope to gain by using Additional Addresses for the IPsec tunnels.  To my way of thinking, that just adds unnecessary complexity...

    For the IPsec tunnels, use the desired IP in the other side so that it "calls" the IP you want to use.  Pair that with a "Respond only" Remote Gateway in your UTM and you're good to go.

    If, instead, you want to use an "Initiate connection" Remote Gateway in your UTM, make a NAT rule like 'SNAT : Any -> IPsec -> {other side} : from {desired IP}'.  I expect this will also require configuration on the other side to account for the fact that the desired IP is not the default IP of your interface.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I am forced to use the additional addresses as I could see no way to route in Sophos the way Comcast says to.

    Sophos support said to use the additional addresses and it works somehow but I cannot use the IPSEC now.  I do not have a public IP directly on an interface.

    I have a couple of web servers, Exchange services, User VPN and a single IPSEC currently with a second one needed soon.  I have 6 available public IP addresses.

    The WAN block below is on the Sophos external interface and lights up the fiber connection.  I have one additional IP address assigned on the same WAN interface which I pointed to one of our webservers and it is working fine.  I am stuck now and support has not responded back on how to solve this either.

    Switch Specifications & IP Requirements

     

    Customer Layer 3 IP Information

    (WAN Block)

    Customer Usable IP Information

    (LAN Block)

    Link IP Address:

    xxx.xxx.228.4/30

    Usable IP Block:

    xxx.xxx.168.120/29

    Gateway:

    xxx.xxx.229.5

    Usable IP Ranges:

    xxx.xxx.168.122- 126

    Layer 3 IP:

    xxx.xxx.230.6

    Usable Subnet Mask:

    255.255.255.248

    Layer 3 Subnet Mask:

    255.255.255.252

    Usable IPv6 Block:

    Click here to enter text.

    IPv6 Dual Stack:

    Click here to enter text.

     

     

  • I suspect that the situation is more complex than I can "see" here.  You have a PM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • If my suggestion above didn't work, I suspect you will need to hire your Sophos reseller to configure this for you.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

     

    I have been working with Sophos support and they do not have a solution using UTM.

    I have to change to SG software to enable use of the addtitional IPs on an IPSEC tunnel.

    Not sure why Sophos can't fix this in UTM when it works in the SG.

  • Ahhhh - a challenge I can't resist - if you've checked my profile, you already know I spent two decades as a serious competitive fencer...

    If I can't do it in 3 hours of configuration and study of the situation, there would be no charge. ;-)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I have attempted to work with XG on my second firewall.  With Sophos support help and a lot of flailing on my part,  I was able to get the Comcast Metro E to connect with the public IPs.  The only thing I see XG offering that I need is IKEv2 for the IPsec point to point tunnel.  XG does not have DKIM support which I require.  Active Directory integration with STAS is kludgy, could not get that to work as I expected.  No on / off switches like UTM.  Logs suck. I expected XG would be a lot more complete - very disappointing.  

    If you can get an IPsec tunnel to use an additional IP on UTM all I would need would be IKEv2 support which supposedly is happening soon.

    I am on version 9.602-3 which does not show IKEv2 anywhere in the IPsec setup.

    I plan on keeping my current internet connection and IPs from Comcast cable as my backup/load balance with the new Metro E IPs.

    The existing IPsec tunnel to GM will stay on the cable IP which I will move to interface 2 on both UTM SG230s.

    I will put the Metro E connection on interface 1 WAN port via the dumb switch.  The additional IPs on this interface will be the 5 public IPs.

    I need the Internet to see the public IPs and not the Comcast point to point IP that the 5 public IPs are routed through.

    One of these 5 public IPs will be the IPsec IKEv2 tunnel to Ford