Site-to-Site VPN behind DSL Router


i am facing the situation to build a site to site vpn to our HQ. In the branch office we just have a DSL Connection with DSL Router. 

The DSL Router get the public ip an is connected to the XG Firewall using a private network like 


When i initial a site to site configuration i need give the Interface of the local VPN Tunnel start point so that will be my LAN Interface with

a private ip from 192.168.1.x network. Will the VPN work ? Cause the 192.168.1.x network will be natted behind the DSL Router. When i would

use a RED Device i think its not a problem to place it in the local private network and let it build the connection automatic but i am not sure how

that works with the site to site VPN. 


Would be great to get help in that point. The DSL Router we use is a fritzbox 7590.


Thanks an regards


  • In reply to Keyur:

    Hello and thank you very much for your reply. In general i know how to set up a vpn. The document suggest to use NAT-T but not for Site-to-Site VPN that

    should be figured out automaticly but it seems not to be so easy. 



  • Site to site and red works similar, just that the red saves you from getting fixed IP in the "red site", and you can you simple router in the "red site"

    Each site has a different LAN IP, and the site to site or red will route the "other site" IP to be used locally.

  • In reply to Hayim Caspy:

    Hello, i think i need some more help in that topic. My HQ has a fix ip and my branch has a DSL Connection with dynamic ip. 

    I need a solution to build a site to site vpn tunnel betwenn both locations. I was thinking about using DynDNS feature of Sophos

    for the branch office but i am not sure if i understand that feature correct. I not see that the hostname i can choose for the dyndns

    will be verified. There is just the need to use what happend if 2 customer use the name hostname ? How will be a check

    that this is not happening and in generell is the feature a good way to connect site-to-site with dynamic ip ? 




  • In reply to marco_47d:


    If you have a dynamic IP, you can configure * in the remote gateway in IPsec VPN policy at Headoffice and Initiate the tunnel from the Branch office. Please also configure Local and Remote ID (IPaddress) at IPsec configuration at HO and BO.

    HO Local ID:
    HO Remote ID:

    BO Local ID:
    BO Remote ID:

  • In reply to marco_47d:

    You don't need any dynamic DNS for this type of setup, have the VPN definition at the core to be setup with it's Gateway type to be  "Respond only" and the edge site's VPN as "initiate the connection". At the core have the remote gateway address set as "*", use an "ID Type" as a private IP Address (for example) on both ends and matching Pre-Shared key. I use this sort of setup often for 4G sites so it will work for yourself.