Allowing IPSec Site-To-Site on Additional address

Hello John,

Thank you for contacting the Sophos Community!

Where does the IPsec terminate when your customer had the other router? 

The way you are setting up I don't think it will work, you would need the L3 IP or Public IP to connect the tunnel.

I am not sure what the other side is trying to say, but it is not the Local Network you set in the UTM the ones they want to allow access to their network?

Regards,

Thanks for responding. I called into support to have them look at this and he agreed that we should be able to initiate the connection from main site using one of the public LAN IPs in this dedicated Ethernet scenario. It would seem as though it’s a private IP but it’s just a point to point Ethernet and we are using the Sophos UTM to route traffic. What the customer on the remote site is expecting is that they see the traffic coming from one of the assigned public IPs and they whitelist this IP. The Sophos engineer remoted into our systems to look at what we had and ran some test with Putty and saw that there was no response from the remote test site, therefore no connection using one of the other assignable static IPs. He is currently looking into this and I will update this forum with the outcome.

Hey John - welcome to the UTM Community!

I'd need to see the IPsec logs from both sides, but I get the feeling that you're having an issue with NAT.

If you want to pursue this further here, please supply the relevant log lines and a diagram with IPs (a picture of hand-drawn is fine).  If you prefer, obfuscate IPs like 38.XX.YY.196, 10.X.Y.100, 192.168.X.200 and 172.2X.Y.51.  That lets us see immediately which IPs are local and which are identical or just in the same subnet.  Also pictures of the Edits of the IPsec Connection and Remote Gateway as well as the corresponding configuration on the other side.  If using a PSK, a pic of the 'Preshared Key Settings' on the 'Advanced' tab.

Cheers - Bob

Hey Bob,

Would it be easier if I could just let you log into both UTMs (Initiator and Responder) which I can load on my computer and let you look.  Since you are with Sophos and I already have someone in support getting back to me on Monday... this may be solvable beforehand. I had the support agent just 123 into my computer and had both UTMs loaded for him to look at.  I was also on the phone with him, which made it even easier to explain.  If you can PM me I can give you my contact info.

John, Sophos can't afford me.  MediaSoft has been a reseller of the UTM and its ASG predecessor for 17+ years.

Cheers - Bob
PS I tried to PM you to say hi, but, strangely, was greeted with "cannot message" - are you able to PM me?

Hahaha, I hear you.  I figured this out after I discovered the ISP gave me the wrong LAN gateway.  Had I known this in the beginning I would have had this working long ago.  I still think Sophos should add the ability to use the Additional Addresses that are tied to the WAN on a Site to Site Responder.  But for what I needed for this particular site I am there.  Thank you for your input and willingness to help-very professional of you Bob!