s2s Ipsec using public ips?

Question

need to setup a site to site ipsec vpn with a partner company, they provided me the standard connection sheet but both the firewall endpoint and internal access are both public ips 
 Example 
 Customer 
 Firewall Address 147.118.246.5 (PUBLIC IP) 
 Internal Server Access : 147.118.246.50 port 666 (PUBLIC IP) 
 My Sophos UTM 9 
 Firewall address 200.10.10.5 (PUBLIC IP) 
 Internal Server Access : 10.10.10.50 port 666 (PRIVATE IP) 
 The partner is expecting me to provide a public ip as well for phase 2, what Ip should I provide? 
 How should I configure the tunnel ? 
 Any help will be apreciated 
 Thanks 
 Gaston

apijnappels · Accepted Answer

I hope I get the question now and maybe you have some help with this:147.118.246.5 
 The other party wants your system(s) to communicate over a VPN-connection to 147.118.246.50. You can reach that through a VPN-tunnel with their endpoint at 147.118.246.5 
 So you can create a remote IPSec gateway with IP 147.118.246.5 and remote network 147.118.246.50. then in setting up the connection you use your external WAN connection as the local interface for creating the tunnel (200.10.10.5). In your local network(s) you could simply enter 10.10.10.50 (as that is the local server at your side that needs to communicate with remote side). Then that's also what they need to enter at their side as their remote network (that's your local network). 
 However if for some reason they cannot handle 10.10.10.50, then you must supply something else (and also configure that something else in you own local network(s) setting). If that something else has to be a public address (again, I really don't know why), then you must either own additional public addresses or make some up. In the first place, if you own a subnet including more than just 200.10.10.5 then you could assign ie. 200.10.10.6 and have this configured as your local network. Be sure tough to use a public address that you haven't configured as an additional address since it will most likely create routing issues on you own UTM. 
 Assuming you want to use 200.10.10.6 you then need an SNAT rule: 
 Traffic from: 10.10.10.50 Using service: 666 (or any, but if you only need port 666 then go ahead and use that) Going to: 147.118.246.50 
 Change source to: 200.10.10.6 
 Create automatic firewall rule and be sure to also select 'Rule applies to IPSec packets' under advanced 
 
 You will then also need a DNAT rule (for the return traffic): 
 Traffic from: 147.118.246.50 Using service: 666 (or any again, just like above) Going to: 200.10.10.6 
 Change destination to: 10.10.10.50 
 Again tick 'Use automatic firewall rule'. 
 But please, do try to have the other party just use 10.10.10.50 as your local (their remote) computer.