IPSEC Use static remote access IP not working

Hello,

I have a UTM 9 SG210 model and since the latest updates seems that the static allocation of IP's became a real pain, because the UTM gives the same IP to other clients also.

I opened a support case but they did'n find any issue on my configuration, also i send to them the log on clients.

The first issue came with the IP 10.2.2.1 which wasn't allocated to none of the static clients and still was offered to ipsec clients which had another IP allocated.

Recently, after i made a static allocation of the ip 10.2.2.1 i find out that now the UTM gives the IP 10.2.2.6 which is also reserved, to other clients also. Also on that IP class i don't have any DHCP it's only a simple pool.

Does anyone had this issue?

Thank you in advance.

  • Hi  

    If your static assignment IPs are included in the DHCP scope as well, it will cause a conflict. Would you please be specific about what are the static assignments and what is your DHCP scope configured?

  • In reply to Jaydeep:

    Hello Jaydeep,

         

     

    It worked few years in this config without any problems.

  • In reply to Gabriel Georgescu:

    Salut Gabriel and welcome to the UTM Community!

    That won't work.  Since 10.2.2.7 is in the 10.2.2.0/25 subnet, the IPsec server will assign it to clients not assigned a static IP.  The IPsec server doesn't see "reservations" as occurs in Windows Server DHCP.

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob,

    Thank you very much for response. How can be explained that, this configuration worked without any issues many years before, and why the Sophos support told me that they cant find any issue in my configuration?

    Also, what do you sugest? I should change the range using mask? Because i don't wanna use dinamic adresses, only static, it is possible not to define any pool?

  • In reply to Gabriel Georgescu:

    Salut Gabriel,

    It sounds like you don't have that many Remote Access users, so I would try expanding "VPN Pool (IPsec)" to .0/24 and then assign fixed IPs in .128/25.  Odds are that that would not cause any conflicts.  If that "trick" doesn't work, you'll need to craft manual Firewall rules instead of using automatic.  Let us know.

    Cheers - Bob