Thread Info
  • State Suggested Answer
  • Replies 7 replies
  • Answers 3 answers
  • Subscribers 39 subscribers
  • Views 1289 views
  • Users 0 members are here
Options
Suggested

IPSec tunnel interface for same interface WAN and remote adress 0.0.0.0

Guilherme Silva1

Hello,

Is there a way to configure a VPN tunnel interface scenario, using the same WAN interface to receive the connection from remote points?

In this case, I have only 1 internet link on site A with a fixed IP, and I have several remote branches with internet links with dynamic IP, so I would like to use SD in the branches, to control VPN traffic based on criteria defined in the SDWAN profile (latency, jitter).

However, I came across the following problem: do I need to have only 1 tunnel interface on site A to receive the connection from all branches? Or do I need to have 1 tunnel for each branch? as the remote IPs are dynamic, I cannot set them in the site A tunnel and as I only have 1 internet link in the head office, I cannot create more than 1 tunnel, as it conflicts with the existing tunnel!

Using only 1 tunnel at site A, when the primary VPN at the remote branch goes down, the tunnel interface at site A goes into "down" mode, and this drops communication



Edited TAGs
[edited by: Erick Jan at 12:38 AM (GMT -7) on 22 Apr 2024]
Parents Reply Children
  • 0 in reply to Sreenivasulu Naidu

    Hello!

    Two route-based tunnels in Site A from each remote site with two ISPs.

    Ok, but in my case, I have only 1 ISP with a fixed IP on site A, and I need to use this same interface to connect the VPN with all remote tunnels. I even managed to create more than one tunnel on the same interface with remote address 0.0.0.0, but this seems inconsistent to me, because sometimes I can create it, sometimes it gives me an interface error and a duplicate remote IP.

    My device is an XGS2300 in version SFOS 19.5.4 MR-4-Build718.

    My main problem is, having only 1 fixed IP on site A and several remote firewalls without a fixed IP.

  • 0 in reply to Guilherme Silva1

    Ok, two rbvpn tunnels with remote gw=0.0.0.0 is not allowed as it fails the duplicate check of local and remote gateways.

    Having single ISP on siteA does not limit creating two rbvpn tunnels form each of the far end sites provided dynamic dns for the Branch Office dynamic IP is available.

    BO<dynamic ISP-B>-----------<fixed ISP-A>HO

         <dynamic ISP-C>------------

    On HO, your 1st rbvpn tunnel towards BO will have local gw=ISP-A, remote gw=dynamicIP of ISP-B, 

    2nd rbvpn tunnel towards BO will have local gw=ISP-A, remote gw=dynamicIP of ISP-C;

    Since the dynamci IP of ISP-B or ISP-C are changing in nature, you would have to go with dynamic DNS FQDN for ISP-B and ISP-C that can be respectively used for remote gw on HO so that the tunnel combination (local gw and remote gw on HO) is unique for each tunnel even though only 1 ISP with fixed IP on Site-A.

  • 0 in reply to Sreenivasulu Naidu

    Bad news, but I already suspected it.

    I also noticed that Sophos does not allow customizing a DDNS provider, in this case, we are an ISP and we have our own server that we could use as a DDNS server, but unfortunately Sophos does not even give us that as a resource.

  • 0 in reply to Guilherme Silva1

    There are other options for free or just a small rate like Cloudflare or setting up a docker host to some other DDNS service so in VPN you can use the hostname.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML