Bypassing some of the IPSec traffic

Question

Hi there, 
 i currently have several IPSec site-to-site connections running on my Sophos UTM. 
 Recently we received the request to add many more and I do not want the UTM do all the work. 
 So my idea was that I could assign an additional IP address to my WAN interface and have all the new IPSec connections targeted on that new address. 
 Then, on the UTM I create a NAT rule to forward all IPSec-like traffic to a separate box which then takes care of the IPSec stuff for these new connections. 
 
 Unfortunately, this does not work. Packets to port 500 sent to the newly created address do not arrive at their target. 
 Could this be by design? Or is that supposed to work? 
 
 Best 
 Thomas

apijnappels · Answer

Perhaps you can also create a bridged port on the current UTM where you bridge your internet facing NIC with an unused one. Then you can directly connect the external facing second firewall to this bridged port and just setup it's own public IP, point to the same gateway as your current UTM is pointing to and of course don't forget to remove the additional address from the first UTM. 
 I think you don't need any NAT rules in this scenario, but it does require a free interface on the first UTM.