This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Simutaneous VPN via Site-to-Site and Client possible ?

Hello to the board !

 

I hope you can help me out, as I'm stuck with the following question:

Is it possible to have our UTM connected by a site-to-site tunnel to a remote gateway

and allow a vpn by client which sits in our internal (guest)network to the same remote gateway at the same time ?

 

Reason: we have an employee from the remote site sitting here.

For internet access he is connected to our guest WiFi network and want's to VPN to his "home" remote site.

For security reasons, we won't expose the site-to-site tunnel to the guest network.

Thus the only option is, to allow him to make his own VPN.

I already tried by allowing the needed ports for the guest network on the firewall, but this alone doesn't do the job.

So I wonder if this is simply impossible or which additional steps I have to take, to achieve this goal.

Any help is welcome !

 

Best regards   ranX



This thread was automatically locked due to age.
  • Hey RanX.

    So I take it that the remote site's employee is using an IPSEC VPN as well, right? If you already have an IPSEC tunnel from your UTM with that particular destination originating from the same WAN IP on which that client traffic is going through, it would not work as the remote side would "confuse" this client's incoming connection attempt as part of that site-to-site tunnel and would discard it as there's already a tunnel established.

    I don't think there's much you can do on your side, unless you have another WAN link on which you could send this employee's traffic through. If traffic from this client IPSEC connection would originate from a different IP address chances are both tunnels would work.

    Regards,

    Giovani

  • Hello Giovani,
     
    thank you for your reply including this good explanation !
    You confirmed, what I was afraid of, but wasn't able to put to words.
     
    On my former company we had this working with two external IPs, the way you described it.
    As I now have only one external IP at hand, I can put this to the files until we maybe have a second one
     
    Best regards   ranX