Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec tunnel interface for same interface WAN and remote adress 0.0.0.0

Hello,

Is there a way to configure a VPN tunnel interface scenario, using the same WAN interface to receive the connection from remote points?

In this case, I have only 1 internet link on site A with a fixed IP, and I have several remote branches with internet links with dynamic IP, so I would like to use SD in the branches, to control VPN traffic based on criteria defined in the SDWAN profile (latency, jitter).

However, I came across the following problem: do I need to have only 1 tunnel interface on site A to receive the connection from all branches? Or do I need to have 1 tunnel for each branch? as the remote IPs are dynamic, I cannot set them in the site A tunnel and as I only have 1 internet link in the head office, I cannot create more than 1 tunnel, as it conflicts with the existing tunnel!

Using only 1 tunnel at site A, when the primary VPN at the remote branch goes down, the tunnel interface at site A goes into "down" mode, and this drops communication



This thread was automatically locked due to age.
Parents
  • Short answer: you need a tunnel for each branch connecting to site A. In older firmware versions you need to have the same PSK if you use * as the peer IP-address, in newer versions you can still configure different PSK for different sites.

    As for the multiple connections coming from the same site (ISP1, ISP2) you can use SDWAN rules in the branch offices to select either ISP1 or ISP2, in Site A I think you could still get away with just 1 tunnel for each branch office, altough if these branch offices had 2 fixed IP's you would need 2 tunnels, one for each fixed IP.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • Short answer: you need a tunnel for each branch connecting to site A. In older firmware versions you need to have the same PSK if you use * as the peer IP-address, in newer versions you can still configure different PSK for different sites.

    As for the multiple connections coming from the same site (ISP1, ISP2) you can use SDWAN rules in the branch offices to select either ISP1 or ISP2, in Site A I think you could still get away with just 1 tunnel for each branch office, altough if these branch offices had 2 fixed IP's you would need 2 tunnels, one for each fixed IP.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data