Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 5152 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN Tunnels

vasileiosg

Hello,

We are having several customers that they host their solutions to our data center. Until now each customer had their own firewall and their own IP range. With the current configuration we used a different firewall brand for each customer. Each customer had a Site to Site VPN tunnel between their equipment in the data center and their office using an IP address from their IP range. So we have multiple customers with multiple different IP ranges.

In the new situation, we have only the Sophos UTM firewall. What we want to achieve is: create Site to Site VPN tunnels for each of our customers towards their office using the IP address from the IP range as it was before we migrated. From googling and looking online, it seems that this is not possible with Sophos UTM. Well that’s not an answer I am looking for and is not an answer that can be accepted.



This thread was automatically locked due to age.
  • 0

    This certainly should be possible, Vasileios.  Who said that it isn't?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hi,

    please help me out. I don't understand why your customers have an IP address from there site in your data center.

    Your customers use different firewall brands, so you use IPSec tunnels, right?

    Can you please post a picture of the wanted solution? One picture says more than 1000 words ;-).

    Viele Grüße / Best Regards,
    Manu

    - CISO -
    - Sophos SCA & Partner-

  • 0 in reply to ManuelAbeledo

    Hi guys,

     

    thank you for your reply. here is an image

     

    Everywhere on the internet it says that Sophos UTM (SG) cannot do it. I spoke with two UTM experts and they told that what i want makes sense but they don't know how to do it in UTM.

    I send an email to support but they are extremely slow.

     

    So to explain again what i need, is to say from a non physical port to connect to an IPSec tunnel with a specific IP address that i want to specify. At this moment this option is missing:

     

  • 0 in reply to vasileiosg

    "So to explain again what i need, is to say from a non physical port to connect to an IPSec tunnel with a specific IP address that i want to specify."

    I'm not sure what a "non physical port" is, Vasileios, but you can use the same External Interface for all tunnels.  Just have each client use the primary IP on your External interface as their endpoint for you.

    What you can't do without the cooperation of your customers is use Additional Addresses with SNATs.  In order to not "break" IPsec, they would need to identify the "Right ID" as the IP from which the traffic is SNATed.  I see no advantage in complicating your life with that though.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to BAlfson

    Thanks! I wanted a different IP address per customer.

     

    I contacted a Sophos expert who told me that it is possible using double NATting but it will be unstable and unreliable.

     

    I end up using different ethernet ports and assigning the appropriate IP address to each.

     

    In time, i will contact my customers and ask them to change their pointer so i can remove the physical cables.

Unfiltered HTML