Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 3 answers
  • Subscribers 38 subscribers
  • Views 1467 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Configure vpn ipsec site to site HQ-BO : 01 xg with modem (router mode) and second xg with modem (Bridge mode)

Fotit

Hi all,

I have this topology (look at picture please), and i need to configure vpn  ipsec site to site between HQ and BO

HQ XG is connected to ADSL Bridge mode, but BO XG is connected to Fiber ONT (router mode)

The two site have already static public ip

what is the best way to configure correctly this IPSec VPN

Thanks



This thread was automatically locked due to age.
  • 0

    Hi Fotit,

    Thank you for reaching out to Sophos Community.

    Since both sites have Public IP address, kindly try to configure it with normal IPsec VPN site-to-site.

    docs.sophos.com/.../index.html

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Hi Erick,

    As always the sophos documentation is much less explicit there is still a lot to do !!

    the link you give me is not compatible with my topology, it does not deal with the case of a firewall behind a nat router

    it's weird all the same for a simple topology that I've been looking for for a few days without an answer

    No probleme to build vpn ipsec on HO firewall, it's behind bridge device so its listening interface is WAN interface with fixed public ip.

    But on BO, there's FW wich is connected to third party device ( Router-NAT) with ethernet cable, and its WAN port have fixed static private IP.

    The ONT (Router-NAT) have WAN interface with fixed public IP, and it do also nating

    So by default, when you configure vpn ipsec sophos, it select the WAN port with private IP

    What remote gateway to select on HO ? WAN Port of HG ONT or WAN Port of BO FW?

    in some articles, they talk about configuring port mapping on the third party nat device and allow the UDP ports 4500,500 and IP 50 from WAN Port NAT device to WAN Port BO sophos , but still not working

    it's necessay to look what value make in remote ID  when configureing ipsec?....

  • 0 in reply to Fotit

    Hello there,

    In the Sophos Firewall that has the Public IP assigned to the WAN interface, you would need to configure the Public IP of the Router that is in front of the Sophos Firewall Branch router, in this router that is in front of the Sophos Firewall with the Private IP in the WAN, you need to configure DNAT to pass the port needed for IPsec 500, 4500 for the tunnel to be able to form between both Firewalls.

    In the Branch Sophos Firewall router, you need to configure the Gateway Address  (Remote Gateway) with the Public IP that the HO Sophos Firewall has.

    The most common issue you will face is that the 3rd party router where you need to do the DNAT, might be incorrectly configured, but once you figure that out properly the tunnel should be able to establish.

    Note: Make sure that the Branch Sophos Firewall is the tunnel initiator.

    The documentation covers some general scenarios, but if you still have issues with the configuration I would recommend you to reach out to our SIS team, your Sales Engineer or Professional Services, so they can assist you with this.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi all, Thank you emmosophos for your answer

    see the logical topology, and the main parameters configured

    I think it is necessary to look the value of local ID Type and Remote ID type in ipsec connections

    May be the issue is here

    What about these values?

    Other question: Is NAT-T supported by IKEv1 ?

  • 0 in reply to Fotit

    Hi all,

    I think my post was interesting and that this topology is classic and widespread everywhere.
    but for 5 days I have not been able to get any feedback from our friends on this forum.
    Is it complicated?
    or should I switch to paloalto or fortinet Wink better handle this topology.
    knowing that the network concepts are the same.

    I know that NAT-T is enable bu default for ipsec connection and dnat rules are created on third party modem

    what did i froget?

  • 0 in reply to Fotit

    Hello Fotit,

    You can try with different Hardware and vendors the issue would be the same.

    You can try setting a Local ID and Remote ID on both devices, I usually recommend a fake email such as 123@abc.com and 456@xyx.com and vice-versa on both sides.

    Your Topology looks correct, just make sure that the NAT router is passing the traffic down to the Sophos Firewall with IP 192.168.100.20 and that his Firewall is initiating the connection.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Unfiltered HTML