How to use private IP Address for creating IPSEC Tunnel

Hi Sachin Bhatgare 

The ISP line which you want to use for IPsec needs port 500 and 4500 for IPsec communication, if you have forwarded all the ports then it is not possible to create IPsec tunnel on that specific ISP link, It would be great if you could provide more details on your requirement and your network setup, it would help us to assist you better.

Hi Keyur,

As my firewall is HA mode it does not support dial-up. Therefore I created a connection using PPOE in ONT(ONU) device. Then used private subnet to link ONT's LAN port with Firewall's WAN port. In ONT device I forwarded all the ports to WAN IP Address. That's how I started getting Internet access using that WAN port. We have subscribed one static IP address on this link. But as I have made dialup connectivity using ONT, the private IP address is there on WAN port and using the regular procedure I can't connect VPN link. Is there any way that I can use allotted static IP address for VPN connection. Kindly refer attached diagram broader understanding.

Hi Keyur,

As my firewall is HA mode it does not support dial-up. Therefore I created a connection using PPOE in ONT(ONU) device. Then used private subnet to link ONT's LAN port with Firewall's WAN port. In ONT device I forwarded all the ports to WAN IP Address. That's how I started getting Internet access using that WAN port. We have subscribed one static IP address on this link. But as I have made dialup connectivity using ONT, the private IP address is there on WAN port and using the regular procedure I can't connect VPN link. Is there any way that I can use allotted static IP address for VPN connection. Kindly refer attached diagram broader understanding.

Hi Sachin Bhatgare 

Thank you for providing in-depth details of the scenario.

If the remote end device has public IP we can configure * value in the remote end and can initiate the tunnel from Sophos XG as Sophos XG knows the remote gateway Public IP and we can establish the IPsec Tunnel.

Sophos XG IPsec Configuration (Initiate the tunnel from Sophos XG)

Local Gateway - WAN Interface (192.168.17.5)

Remote Gateway - Remote End device Public IP address

Remote End device IPsec Configuration (Responder Only)

Local Gateway - WAN Interface

Remote Gateway - * or Any

Rest of the IPsec configuration, please refer the article- https://community.sophos.com/kb/en-us/123140

Hi Keyur,

Your suggested configuration is not working. Tried the setting on active IPSEC VPN, therefore we can be assured that other configurations are correct. It does not accept *, tried using Any. 

Hi Sachin Bhatgare 

Could you please share the configuration screenshot to check?

Do you have XG firewall at remote end?

Hi Keyur,

Your solution worked. Only thing I had to do is to configure my end policy as Defaultbranchoffice with Gateway type initiate the connection and remote end Policy DefaultHeadoffice with Gateway type Respond only.  

Hi Sachin Bhatgare 

We glad that we could help and the most important that the issue got resolved.