This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM - IPv4/IPv6 Issue - IPSec

Hi guys,

I have searched myself silly and dont get anywhere, so I come before you.

 

A little preface:

We are a small group of companies (headquarter/main company and 2 daughtercompanies/branches). There are 2 IPSec Site-2-Site tunnels established between the two branches and the headquarter (we, the HQ, are on respond since the branches dont have static IP's yet) - they work on a RDS/Terminalserver in our infrastructure.

We have just the worst WAN connection (Vodafone cable) - atrocious. Its on and off again - major disruptions etc. We are so remote that we dont have any alternatives like fiber (the DSL connection is solely for our VPN connection to the hosted cloud VoIP PBX of Deutsche Telekom), so we are stuck with Vodafone. It wasnt always as bad as now, but I have to provide redundancies now since 3 companies are affected.

I asked our mobile provider for a data plan and they can offer me a LTE data plan with a static, public IPv6 address. According to the sales rep I spoke to, it will allow incoming connections as well, but I need to verify with one of their technicians directly - lets assume it is.


I planned something like this:

 

I really dont want to establish a full blown IPv6 network in parallel to the IPv4. I saw here and there some blog posts and comments on the net (and Sophos forum) explaining the translation of IPv6 traffic to IPv4 and vice versa. 

How would I realise that on the UTM? With a DNAT rule?

Im eternally grateful for any input.

Thanks!



This thread was automatically locked due to age.
Parents
  • Hallo and welcome to the UTM Community!

    I'm not familiar with the Mikrotik - can it do IPv6-to-IPv4?  Do you have UTMs in the branches, or are these other brands?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob!

    Thanks for the reply - almost lost hope :)

     

    Sorry, should have been more clear on that:

     

    Main office: SG135 UTM

    Branch1: SG125 UTM

    Branch2: SG115 UTM

     

    The Mikrotik antenna has the so called "routerOS", but I activated the passthrough mode (similar to the bridge mode on a router), so the Mikrotik only uses the built-in LTE modem to forward the public IP - this has been tested and confirmed by me.

     

    Thanks and best regards

     

    Constantin

  • I haven't done this, Constantin, but if the only traffic between the UTMs is IPsec, I don't think you need to do anything with NAT or worry about the IPv4<-->6 conversion.  It sounds like you will want to have an IPv4 tunnel and an IPv6 tunnel between the branches and the main office.  Since I'm a mod, I can see the IP from which you post, so I know you'll have no problem following Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).  Even then, since the document has lots of pictures and WebAdmin is in English, I've recommended it to many that don't speak German.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    thanks for the suggestion. I don't really want a failover for the IPSec connection, but rather an alternative when (not if :)) the Vodafone connection breaks down again. That LTE data plan of our mobile provider (also, Deutsche Telekom) is free of charge until I decide to use it. If Vodafone breaks down again, I would call Deutsche Telekom and activate a so called "Dayflat Unlimited" on that SIM card, giving us unlimited traffic for 24 hours. I would then turn on the IPv6 interface in WebAdmin, establish the IPSec tunnel through the public IPv6 provided by the Mikrotik antenna and they could continue to work.

    Writing this, I realise now that I simply could just deploy this IPSec failover anyway - the data plan will not cause any cost in its dormant state.

    Just asking again - no need for IPv6-IPv4 translation whatsoever?

    Thanks and best regards,

    Constantin

  • I don't think IPv6<-->4 translation is needed, Constantin, but I would be interested in learning what your test shows.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    sure, no problem. I will post my results here - I just hate it if people ask stuff in the forums and never follow up on their discoveries to enlighten all the people (like you) involved. Friday I will drive to Branch1 and put their Zyxel Speedlink 5501 in Bridgemode (I ordered a static IP a few minutes ago).

    The problems I described above seem trivial now, since I have been told this morning that the data plan with static IPv6, "Deutsche Telekom" offered me is not able to activate the "DayFlat Unlimited" for unlimited traffic. The plan has "higher levels", but they only provide 15GB + 5GB, which is definitely not enough for us, since that crappy Vodafone connection sometimes goes offline for several DAYS, if you can believe it.

    My last option now is a big phone plan with unlimited traffic, so it wouldnt be necessary to activate DayFlat Unlimited, and then put the static IPv6 on that plan. Its expensive, but I will suggest to the boss that we split it 3 ways, since the whole group is using it, more or less.

     

    Best regards,

    Constantin

Reply
  • Hi Bob,

    sure, no problem. I will post my results here - I just hate it if people ask stuff in the forums and never follow up on their discoveries to enlighten all the people (like you) involved. Friday I will drive to Branch1 and put their Zyxel Speedlink 5501 in Bridgemode (I ordered a static IP a few minutes ago).

    The problems I described above seem trivial now, since I have been told this morning that the data plan with static IPv6, "Deutsche Telekom" offered me is not able to activate the "DayFlat Unlimited" for unlimited traffic. The plan has "higher levels", but they only provide 15GB + 5GB, which is definitely not enough for us, since that crappy Vodafone connection sometimes goes offline for several DAYS, if you can believe it.

    My last option now is a big phone plan with unlimited traffic, so it wouldnt be necessary to activate DayFlat Unlimited, and then put the static IPv6 on that plan. Its expensive, but I will suggest to the boss that we split it 3 ways, since the whole group is using it, more or less.

     

    Best regards,

    Constantin

Children
No Data