Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site 2 Site VPN with multiple remotes having dynamic WAN IP addresses

Hello,

We have an XGS firewall at our HQ location, set up with several Site to Site VPN connections with remote XGS firewalls that have Static WAN IP addresses.

I also have one site2site set up with a remote location with a dynamic WAN ip address, and it's working well.

We are now getting ready to set up a couple more XGS107W firewalls at two more remote locations that have dynamic WAN IP addresses.

My question is this:

Can I just duplicate the current Site 2 Site VPN setup for the current remote site that has a dynamic WAN IP and specify their LAN subnets?

Or will the firewall here at our Headquarters get confused about that setup?

Any suggestions on the best way to proceed are greatly appreciated.

Thanks



This thread was automatically locked due to age.
Parents
  • Hi Randy,

    Thank you for reaching out to Sophos Community.

    I would suggest a manual setup of the new configuration to avoid unnecessary issues or conflicts of configuration. This will ensure you have no issues or conflicts with the current setup.

    However, if you push through the duplicate, kindly make sure to update all necessary parameters, such as the remote dynamic IP, LAN subnets, and the FW policy.

    Both options are okay, but make sure all necessary detail is considered before and after the implementation. 

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Just want to verify what you are saying here because I'm not quite sure what you mean by a manual configuration.  I have set up all of the Site 2 Site vpn connections manually so far.. lol

    The Site 2 Site VPN connection with the remote site that has a dynamic WAN IP is set up using the suggestion in this post:

     how to configuration site to site vpn ,Client having dynamic ip and client having mikrotik router 

    This is the Head Office configuration for it: 

    If I Duplicate this setup for each new remote site that has a Dynamic WAN IP, how does the Head Office XG know which remote is contacting it since the Remote Gateway is set to "*".  Does it just go by the remote subnet to know which site-to-site tunnel to bring up?

  • Hello there,

    If you use "*" Gateway Address, you would need to use the same PSK for all of the tunnels where the Gateway is "*"; otherwise, let's say you set PSK for Tunnel 1 as: mys3cur#k3y. You then try to set the following PSK for tunnel 2: my07h3rs3cur#k3y; once you save it, it’ll warn you that all of the tunnels using "*" will get overlapped with the Tunnel 2 PSK. 

    This is because there is no way for the Sophos Firewall to know from which tunnel the connection is coming.

    So either you can use the same PSK for all the tunnels using "*" or you can use Certificates.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello there,

    If you use "*" Gateway Address, you would need to use the same PSK for all of the tunnels where the Gateway is "*"; otherwise, let's say you set PSK for Tunnel 1 as: mys3cur#k3y. You then try to set the following PSK for tunnel 2: my07h3rs3cur#k3y; once you save it, it’ll warn you that all of the tunnels using "*" will get overlapped with the Tunnel 2 PSK. 

    This is because there is no way for the Sophos Firewall to know from which tunnel the connection is coming.

    So either you can use the same PSK for all the tunnels using "*" or you can use Certificates.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
  • Thank you, I already know they all need the same PSK.  Slight smile

    I guess what I'm asking is:

    Will I have issues if I have a Site 2 Site tunnel set up for Site A using "*" as the gateway with remote network subnet A, and then I create another Site 2 Site tunnel for Site B using "*" as the gateway with remote network subnet B, and then one more for Site C using "*" as the gateway with remote network subnet C?

    How does the HeadOffice firewall know which remote site is connecting to which tunnel configuration when Site A, B and C are using dynamic WAN addresses gateway of "*"?

    Does it go off of the remote network subnet each site 2 site configuration is using?