in our HQ there's a SG behind a FritzBox Router. In the FritzBox theres an Expose Host configured. At customer Site there's an SG behind a FritzBox. There's also an Expose Host configured.
HQ SG (Respond only):LAN: 172.17.10.0WAN: 10.10.0.2
HQ FritzBox:LAN: 10.10.0.1WAN: 188.8.131.52
Customer FritzBox:LAN: 192.168.2.1WAN: 184.108.40.206
Customer SG (Initiate):LAN: 192.168.10.0WAN: 192.168.2.2
At another customer without FritzBox it's possible to get a tunnel. But with two FritzBoxes it won't work.
Do you have any ideas, how I will get this work?
Hi Christoph Klahn,
Thank you for reaching out to Sophos Community.
You just need forwarding rules for UDP port 500 and 4500 on FritzBox router at each end. And then set up IPsec on UTM.
Refer to the article below to configure a Site to Site IPsec tunnel.
Hi Yash,thanks for your reply. Above I mentioned, that I've forwarded all ports (Exposed Host) in the FritzBox. But this won't work.I will try NAT-T and give a feedback.GreetsChristoph
So, NAT-T was't it. Any further ideas's?
Let's take a look at the logs:
1. Confirm that Debug is not enabled. 2. Disable the IPsec Connection. 3. Start the IPsec Live Log and wait for it to begin to populate. 4. Enable the IPsec Connection. 5. Copy here about 60 lines from enabling through the error.
Cheers - Bob
Try to configure one location as "Listen" rather than "Connect".On some installations I've seen :With both locations on "Initiate" the connection looks for port 500 as SRC and DST. However, the Nat router changes the source port.Also found in the IPSec protocol.
Sophos Solution Partner since 2003 If a post solves your question click the 'Verify Answer' link.
Hi Bob,here's the Log from the Site which Initiate the connection:
What MTU do you have on each Interface involved in the VPN, Christoph?
Hi Bob,on both External-Interfaces (Ethernet) of the SGs I have a MTU of 1500.
What happens if you set the Interfaces' MTUs to 1450, Christoph? (This is just a guess on my part.)
I just noticed that the initiator failed just after initiating Quick Mode, so I think the issue is with the VPN ID. Please show us pictures of the Edit of the IPsec Connection and the 'Preshared Key Settings' on the 'Advanced' tab for both UTMs.
here're the screenshots from the HQ-Site:
and here from the Branch-Site: