Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 1185 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

S2S VPN Configuration

Jimmy10

Hi,

I want to route traffic through 2 firewalls, via S2SVPN connections, one of the VPNs, R1 to R2 already exists, but the other, R1 to R2 doesn't, so I need to create it.

I am unsure about what Local IP address/subnet to use for router B? Do I create one that will only be used just for this purpose? or do I use an interface of R2? 

i.e this one-

I hope the attached diagram makes sense of what I am trying to achieve-



This thread was automatically locked due to age.
  • 0

    Hi Jimmy10

    Hope below link might help to meet your requirement 

    https://support.sophos.com/support/s/article/KB-000035821?language=en_US 

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Hi Jimmy,

    if you do not want to use direct connections between R3 and R1 the scenario would be:

    R1: 1 tunnel between R1 and R2
    - local network: R1 LAN, remote network: R2 LAN + R3 LAN
    R2: 2 tunnels
    - tunnel1 between R1 and R2: local networks R2 LAN + R3 LAN, remote network R1 LAN
    - tunnel2 between R3 and R2: local network R2 LAN + R1 LAN, remote network R3 LAN
    R3: 1 tunnel again between R3 and R2
    - local network: R3 LAN, remote networks R1 LAN + R2 LAN

    Regards,

    Kevin

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • 0 in reply to kerobra

    Hi Keroba,

    Thank you for the reply.

    I don't want to expose the local LAN of R2, so can I use a made up subnet or /32 that won't be used for anything other than the VPN connection from R2 to R1. Will I still be able to route traffic from R1 to R3 via R2 if I use a random made up subnet or /32 on R2?

    Does that make sense?

  • 0 in reply to Jimmy10

    You can use NAT in VPN, but you have to "translate" it somewhere.  You can use R3 LAN(NAT) and R2 LAN (NAT) as remote networks for R1's tunnel. On R2 for example you have to translate the R2 LAN (NAT) to R2 LAN (Real) but in the S2S-Configuration you will have to use the same network(s) you defined on R1.

    For example:

    My "real" subnet in this case would be the 192.168.52.0/24 subnet, but in all tunnels only the 192.168.27.0/24 will appear.

    The imaginary firewall with the 60.0/24 subnet would have 192.168.27.0/24 and 192.168.61.0/24 as remote networks. This firewall can NAT its own subnet again and it could be in fact 192.168.78.0/24.

    What you need to do is to create the network definition "original subnet" before you can select them in the S2S definition. You can not create it in the dropdown.

    Regards,

    Kevin

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

  • 0 in reply to kerobra

    Hi Kerobra,

    Thank you for you reply.

    R3 is a new customer and I dont want to expose any of my companies subnets to this new customer, I just want to route traffic through our firewall. A VPN between the customers isnt viable at the moment. I want to create a new subnet or /32 address on R2 in order to get the VPN connected-does that make sense?

    I won't be using this new subnet for anything else-will traffic be able to route?

Unfiltered HTML