This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bypassing some of the IPSec traffic

Hi there,

i currently have several IPSec site-to-site connections running on my Sophos UTM.

Recently we received the request to add many more and I do not want the UTM do all the work.

So my idea was that I could assign an additional IP address to my WAN interface and have all the new IPSec connections targeted on that new address.

Then, on the UTM I create a NAT rule to forward all IPSec-like traffic to a separate box which then takes care of the IPSec stuff for these new connections.

 

Unfortunately, this does not work. Packets to port 500 sent to the newly created address do not arrive at their target.

Could this be by design? Or is that supposed to work?

 

Best

Thomas



This thread was automatically locked due to age.
  • Hallo Thomas,

    In fact, IPsec does not play well with NAT.  Depending on the IPsec implementation, there might be an easy fix for this.

    If the "separate box" is also a UTM and you're using PSKs, insert the public additional IP in the 'Preshared Key Settings' box on the 'Advanced' tab.  You will need an SNAT for tunnels initiated by the "separate box."

    The alternative would be for the external endpoints to have the equivalent of "Respond only" Remote Gateways and have the "separate box" initiate all tunnels.   If you want to make that traffic leave with the desired IP you will also need an SNAT on the UTM, but that isn't necessary when the "separate box" initiates all tunnels.

    Please let us know what you do.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Perhaps you can also create a bridged port on the current UTM where you bridge your internet facing NIC with an unused one. Then you can directly connect the external facing second firewall to this bridged port and just setup it's own public IP, point to the same gateway as your current UTM is pointing to and of course don't forget to remove the additional address from the first UTM.

    I think you don't need any NAT rules in this scenario, but it does require a free interface on the first UTM.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.