Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPSec tunnel interface for same interface WAN and remote adress


Is there a way to configure a VPN tunnel interface scenario, using the same WAN interface to receive the connection from remote points?

In this case, I have only 1 internet link on site A with a fixed IP, and I have several remote branches with internet links with dynamic IP, so I would like to use SD in the branches, to control VPN traffic based on criteria defined in the SDWAN profile (latency, jitter).

However, I came across the following problem: do I need to have only 1 tunnel interface on site A to receive the connection from all branches? Or do I need to have 1 tunnel for each branch? as the remote IPs are dynamic, I cannot set them in the site A tunnel and as I only have 1 internet link in the head office, I cannot create more than 1 tunnel, as it conflicts with the existing tunnel!

Using only 1 tunnel at site A, when the primary VPN at the remote branch goes down, the tunnel interface at site A goes into "down" mode, and this drops communication

Edited TAGs
[edited by: Erick Jan at 12:38 AM (GMT -7) on 22 Apr 2024]
  • You need two route based tunnels on Site A from each remote site having two ISPs.

    Use v20 on SFOS that supports * notation on remote gateway on Responder node for route based tunnels, use IKEv2 alongwith ID filed (either LocalID or RemoteID or both).  If you are prior to v20.GA, you can still try out using for remote gateway on Responder node along with LocalID/RemoteID, but we suggest to go with v20.0.GA

  • Hello!

    Two route-based tunnels in Site A from each remote site with two ISPs.

    Ok, but in my case, I have only 1 ISP with a fixed IP on site A, and I need to use this same interface to connect the VPN with all remote tunnels. I even managed to create more than one tunnel on the same interface with remote address, but this seems inconsistent to me, because sometimes I can create it, sometimes it gives me an interface error and a duplicate remote IP.

    My device is an XGS2300 in version SFOS 19.5.4 MR-4-Build718.

    My main problem is, having only 1 fixed IP on site A and several remote firewalls without a fixed IP.

  • Ok, two rbvpn tunnels with remote gw= is not allowed as it fails the duplicate check of local and remote gateways.

    Having single ISP on siteA does not limit creating two rbvpn tunnels form each of the far end sites provided dynamic dns for the Branch Office dynamic IP is available.

    BO<dynamic ISP-B>-----------<fixed ISP-A>HO

         <dynamic ISP-C>------------

    On HO, your 1st rbvpn tunnel towards BO will have local gw=ISP-A, remote gw=dynamicIP of ISP-B, 

    2nd rbvpn tunnel towards BO will have local gw=ISP-A, remote gw=dynamicIP of ISP-C;

    Since the dynamci IP of ISP-B or ISP-C are changing in nature, you would have to go with dynamic DNS FQDN for ISP-B and ISP-C that can be respectively used for remote gw on HO so that the tunnel combination (local gw and remote gw on HO) is unique for each tunnel even though only 1 ISP with fixed IP on Site-A.

  • Bad news, but I already suspected it.

    I also noticed that Sophos does not allow customizing a DDNS provider, in this case, we are an ISP and we have our own server that we could use as a DDNS server, but unfortunately Sophos does not even give us that as a resource.

  • There are other options for free or just a small rate like Cloudflare or setting up a docker host to some other DDNS service so in VPN you can use the hostname.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply Children
No Data