s2s Ipsec using public ips?

 need to setup a site to site ipsec vpn with a partner company, they provided me the standard connection sheet but both the firewall endpoint and internal access are both public ips



Firewall Address (PUBLIC IP)

Internal Server Access : port 666 (PUBLIC IP)

My Sophos UTM 9

Firewall address (PUBLIC IP)

Internal Server Access : port 666 (PRIVATE IP)

The partner is expecting me to provide a public ip as well for phase 2, what Ip should I provide?

How should I configure the tunnel ? 

Any help will be apreciated



  • Routes for IPsec tunnels have the highest priority, Gaston, so the solution should be very easy to do.  I'm a little confused though by your comment about using a public IP for Phase 2.  Phase 2 is the second of two phases in establishing an IPsec tunnel.  If you mean that the partner wants all traffic in the tunnel from you to come from a public IP, the following will need to be modified a bit...

    In the IPsec Connection, put (or whatever subnet should be able to access their server) in 'Local Networks'.  In the Remote Gateway, put (or whatever subnet should be accessible from your end).  If you only want to allow port 666 traffic from your side to theirs, don't select 'Automatic firewall rules' in the IPsec Connection and add an appropriate firewall rule.

    Does that do what you wanted?

    Cheers - Bob

  • In reply to BAlfson:

    Thanks Bob

    Just to clarify

    The request is a tradition site to site Ipsec vpn, the problem is that they provided a public ip ( public routable IP addresses ) for the server resource and they expect as well for me to provide a public ip as well.

    They way I am thinking in doing is is the follow

    On my UTM I setup remote network either as a a host or a /25 network

    In order for me to provide a public ip for my internal server, I setup a 1:1 NAT with an extra newly  added to my firewall public ip and the private ip with the internal resource.

    The requirement is a tunnel to connect public ip to public ip ( server to server ) on the port 666

    The tunnel also will require proxy id which should be the public ip, I wonder if the NAT will be able to pass the proper proxy id

    Will that work? Could you advise in the proxy id?


    Thanks in advance




  • In reply to GastonLopez:

    I really don't get the point why a publicly routable address should be inside a tunnel. We have this at one of our customers who themselves have a large pool of public addresses and they have assigned a small subnet of those to us which we need in our tunnel. This is done through NAT inside the tunnel.

    However in your case you should be the one to supply 1 public address for the VPN (obvious) and another public IP for reaching a server inside the VPN (not obvious to me). However you could simply "make up" a fake public IP and have this NATted inside the tunnel.

    Problem for your client is that if that made up IP-address is in use somewhere else on the internet, they won't be able to reach it...

  • In reply to GastonLopez:

    I'm still not sure that I understand their requirements.  Do they want to see all traffic coming from you to be from a single public IP?  If this is what they want, then use that public IP (say 216.x.y.241) as the only entry in 'Local Networks' and 'Strict routing' should not be selected.  The address(es) you want to reach on their side should go into 'Remote Networks'.

    The trick to making this work is a NAT rule that SNATs the desired traffic into the tunnel:

    SNAT : {your addresses} -> {allowed ports} -> {their addresses} : from 216.x.y.241

    Was that what you were looking for?

    Cheers - Bob

  • In reply to BAlfson:

    Hi, let me try to clarify further


    Hi, they just want communication those 2 hosts based on public ips on port 666, they want to implement a message queueing service

    It should be like this 

    Starting from my side  Port 666 (Public ip) <-> (NAT Private ip) Port 666 <-> (My firewall address) <-> (Remote Firewall Endpoint - Public ip) <-> Port 666 (Pubic Ip)


    So my questions are


    1- What type of NAT should I setup in order to make this work

    2- Will the ID match the Public ip ( ) or it will show the private ip  (

    3- Will just creating the NAT and using their public ip as remote network (single host in this case) will be suficient or do I need to create extra routing or rule in order to make this work?


    Thanks a lot 



  • In reply to GastonLopez:

    I hope I get the question now and maybe you have some help with this:

    The other party wants your system(s) to communicate over a VPN-connection to You can reach that through a VPN-tunnel with their endpoint at

    So you can create a remote IPSec gateway with IP and remote network
    then in setting up the connection you use your external WAN connection as the local interface for creating the tunnel ( In your local network(s) you could simply enter (as that is the local server at your side that needs to communicate with remote side). Then that's also what they need to enter at their side as their remote network (that's your local network).

    However if for some reason they cannot handle, then you must supply something else (and also configure that something else in you own local network(s) setting). If that something else has to be a public address (again, I really don't know why), then you must either own additional public addresses or make some up. In the first place, if you own a subnet including more than just then you could assign ie. and have this configured as your local network. Be sure tough to use a public address that you haven't configured as an additional address since it will most likely create routing issues on you own UTM.

    Assuming you want to use you then need an SNAT rule:

    Traffic from:
    Using service: 666 (or any, but if you only need port 666 then go ahead and use that)
    Going to:

    Change source to:

    Create automatic firewall rule and be sure to also select 'Rule applies to IPSec packets' under advanced


    You will then also need a DNAT rule (for the return traffic):

    Traffic from:
    Using service: 666 (or any again, just like above)
    Going to:

    Change destination to:

    Again tick 'Use automatic firewall rule'.

    But please, do try to have the other party just use as your local (their remote) computer.

  • In reply to GastonLopez:

    Is this the topology?

    Your Server <-> Your UTM <- IPsec VPN -> Their VPN endpoint <-> Their server

    Is there another firewall in this chain?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

                 I don't think there is another firewall in the chain, not 100 % sure on the other on, but from my side your topology is correct.





  • In reply to apijnappels:

    Guys, thank you very much for all your help.

    We were able to implement the Site 2 Site and Ipsec is working , we have a healthy tunnel.

    Problem is I still can access the remote public ip host, I am suspecting I am missing a step or the SNAT is not doing what it should.

    So right now I have a healthy tunnel configured this way (My firewall address) <-> (remote firewall address) tunnel is working

    With regards of the internal hosts (public ips)

    I have added as my local network which I own, but is not an ip configured in the Sophos.

    Then I have created a SNAT rule as follows

    For traffic from (Private ip from my internal server)
    Using Service Port 666 (I tried any as well with same results)
    going to
    Change the source to

    When I look at the real time log I see an allowed connection (Green) from to , but I was expecting to see from to

    They guys on on the other firewall can't see any traffic on the tunnel coming from me.

    Did I miss anything? what would be the best way for me to see the traffic coming out of my UTM?

    Any help will be appreciated.



  • In reply to GastonLopez:

    Gaston, please sow pictures of the Edits of the IPsec Connection and Remote Gateway with 'Advanced' open.  Also pics of the corresponding configurations on the other side.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks Bob.


    I will share the real production ip info, at this point I need to make this work.


    Here is my Ipsec with them


    The public ip set as local network is which is an ip address I own, it's not in use and not set as additional address in the firewall as suggested.


    Here is the SNAT

    For traffic from = WLAB-9 is my internal server ( 

    Using Service ( 1414)

    Going to = (Internal Partner but using public ip)

    Change Source to : which is the same ip set as local network

    When I try to telnet from WLAB-9 ( to the remote server on port 1414 I see the following


    Now, I was expecting the DNAT to show me source change, but I am not sure that's should be the case.


    What would be the best way for me to see if the conversion is happening to , also to see if traffic is leaving the firewall?


    Thank you guys for all your help



  • In reply to GastonLopez:

    Remote Gateway picture?  Everything else looks like the problem is on the other end.

    To see traffic inside an IPsec tunnel, you must first know the REF_ of the IPsec Connection:

    cc get_object_by_name 'ipsec_connection' 'site_to_site' 'CB-???? Dev s2s Ipsec'|grep 'ref'

    Assume that gave you REF_Cb????DevS2sIpsec

    espdump -n --conn REF_Cb????DevS2sIpsec -vv

    Cheers - Bob

  • In reply to BAlfson:

    Thanks Bob.

    Attached the remote gateway

    The gateways is

    Remote Host is



    I believe that is also correct as the tunnel is healthy... I will follow up with the other end.