Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 1953 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Bypassing some of the IPSec traffic

Thomas Schachtner

Hi there,

i currently have several IPSec site-to-site connections running on my Sophos UTM.

Recently we received the request to add many more and I do not want the UTM do all the work.

So my idea was that I could assign an additional IP address to my WAN interface and have all the new IPSec connections targeted on that new address.

Then, on the UTM I create a NAT rule to forward all IPSec-like traffic to a separate box which then takes care of the IPSec stuff for these new connections.

 

Unfortunately, this does not work. Packets to port 500 sent to the newly created address do not arrive at their target.

Could this be by design? Or is that supposed to work?

 

Best

Thomas



This thread was automatically locked due to age.
Parents
  • 0

    Perhaps you can also create a bridged port on the current UTM where you bridge your internet facing NIC with an unused one. Then you can directly connect the external facing second firewall to this bridged port and just setup it's own public IP, point to the same gateway as your current UTM is pointing to and of course don't forget to remove the additional address from the first UTM.

    I think you don't need any NAT rules in this scenario, but it does require a free interface on the first UTM.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • 0

    Perhaps you can also create a bridged port on the current UTM where you bridge your internet facing NIC with an unused one. Then you can directly connect the external facing second firewall to this bridged port and just setup it's own public IP, point to the same gateway as your current UTM is pointing to and of course don't forget to remove the additional address from the first UTM.

    I think you don't need any NAT rules in this scenario, but it does require a free interface on the first UTM.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
No Data
Unfiltered HTML