Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 3337 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to setup Site to Site IPSEC VPN When Both Sites is Behind NAT (Router FTTH)

Adil Arabi idrissi

Dear all,

I have two Sophos UTM units at two sites, both are currently behind NAT routers. Both sites have Static Public IPs, both sites use PPPOE to connect to the internet. The PPPOE in both cases is being handled by the NAT router rather than the UTM. 

I would like to connect up a site to site network via IPSec using these two UTMs. 

Everyone says you have to create a NAT, But I don't know the steps ??

 

Fowording : 

Router NAT : 500TCP/UDP 5400TCP/UDP 

Any suggestions on how to solve this? If you need any additional info please do not hesitate to ask.



This thread was automatically locked due to age.

  • NB : in the experiment phase, we created a LAB in eve-ng -> VPN Site to Site i working

  • in reply to Adil Arabi idrissi

    Hi,

    "Everyone says you have to create a NAT" ... that's correct

    ... but you have to create these MAT at the Provider Router. This device has to forward incoming Port 500 UDP and 4500UDP to the WAN interface of the UTM behind


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • in reply to Adil Arabi idrissi

    Salut Ahlan Adil and welcome to the UTM Community!

    Assuming that neither UTM has a public IP on its external interface, the other thing you need to consider is the VPN ID.  Using pre-shared keys, make side A "Respond only" - that gives you VPN ID type: Any and VPN ID: Any there.  On side B, select "Initiate connection" and enter the public IP of side A's ISP's router as the VPN ID for ''VPN ID type: IP address'.  Does that work for you?

    Since these are both UTMs, the easiest would be to use an SSL VPN since, with it, you don't need to worry about a VPN ID.  I prefer to change the Protocol to UDP on the 'Settings' tab as that makes the connection faster.  I also recommend changing to 'Authentication algorithm: SHA2 256' on the 'Advanced' tab.

    Another option would be to use a RED tunnel instead of a VPN.

    Cheers - Bob

    NOTE: 2 days later: changed the wording in the first paragraph to make it clearer using A and B.  Added RED option.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML