Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 4 subscribers
  • Views 23638 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

s2s Ipsec using public ips?

GastonLopez

 need to setup a site to site ipsec vpn with a partner company, they provided me the standard connection sheet but both the firewall endpoint and internal access are both public ips

Example

Customer

Firewall Address   147.118.246.5 (PUBLIC IP)

Internal Server Access :  147.118.246.50 port 666 (PUBLIC IP)

My Sophos UTM 9

Firewall address 200.10.10.5 (PUBLIC IP)

Internal Server Access : 10.10.10.50 port 666 (PRIVATE IP)

The partner is expecting me to provide a public ip as well for phase 2, what Ip should I provide?

How should I configure the tunnel ? 

Any help will be apreciated

Thanks

Gaston



This thread was automatically locked due to age.
Parents
  • 0

    Routes for IPsec tunnels have the highest priority, Gaston, so the solution should be very easy to do.  I'm a little confused though by your comment about using a public IP for Phase 2.  Phase 2 is the second of two phases in establishing an IPsec tunnel.  If you mean that the partner wants all traffic in the tunnel from you to come from a public IP, the following will need to be modified a bit...

    In the IPsec Connection, put 10.10.10.50 (or whatever subnet should be able to access their server) in 'Local Networks'.  In the Remote Gateway, put 147.118.246.50 (or whatever subnet should be accessible from your end).  If you only want to allow port 666 traffic from your side to theirs, don't select 'Automatic firewall rules' in the IPsec Connection and add an appropriate firewall rule.

    Does that do what you wanted?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob

    Just to clarify

    The request is a tradition site to site Ipsec vpn, the problem is that they provided a public ip ( public routable IP addresses ) for the server resource and they expect as well for me to provide a public ip as well.

    They way I am thinking in doing is is the follow

    On my UTM I setup remote network either as a a host or a /25 network

    In order for me to provide a public ip for my internal server, I setup a 1:1 NAT with an extra newly  added to my firewall public ip and the private ip with the internal resource.

    The requirement is a tunnel to connect public ip to public ip ( server to server ) on the port 666

    The tunnel also will require proxy id which should be the public ip, I wonder if the NAT will be able to pass the proper proxy id

    Will that work? Could you advise in the proxy id?

     

    Thanks in advance

     

    Gaston

     

  • 0 in reply to GastonLopez

    I really don't get the point why a publicly routable address should be inside a tunnel. We have this at one of our customers who themselves have a large pool of public addresses and they have assigned a small subnet of those to us which we need in our tunnel. This is done through NAT inside the tunnel.

    However in your case you should be the one to supply 1 public address for the VPN (obvious) and another public IP for reaching a server inside the VPN (not obvious to me). However you could simply "make up" a fake public IP and have this NATted inside the tunnel.

    Problem for your client is that if that made up IP-address is in use somewhere else on the internet, they won't be able to reach it...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0 in reply to GastonLopez

    I really don't get the point why a publicly routable address should be inside a tunnel. We have this at one of our customers who themselves have a large pool of public addresses and they have assigned a small subnet of those to us which we need in our tunnel. This is done through NAT inside the tunnel.

    However in your case you should be the one to supply 1 public address for the VPN (obvious) and another public IP for reaching a server inside the VPN (not obvious to me). However you could simply "make up" a fake public IP and have this NATted inside the tunnel.

    Problem for your client is that if that made up IP-address is in use somewhere else on the internet, they won't be able to reach it...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data
Unfiltered HTML