I'm about to manage a new client infra and I'm not very friendly with sophos (used to Zyxel...).
Well the client is using an internal subnet which is already used by another client, so I can't configure a vpn site-to-site because of that.
I wanted to setup a SNAT to translate the new client subnet into a fake subnet then route that subnet to the vpn site-to-site with my other firewall.
With Zyxel its quite easy to setup a SNAT but for unknown reason here I cant make it work...
Few informations :
- client subnet is : 192.168.2.0/24
- LAN_FAKE: 10.50.2.0/24
- LAN_IT (subnet behind my firewall): 192.168.200.0/24
I tried to setup a 1:1 Nat map source with : From = Internal (network) -> Any service -> To = LAN_IT, map source : change source to : LAN_FAKE (10.50.2.0/24)
Enable automatic firewall rule.
Did the same with a 1:1 Nat map destination for reverse requests : From = LAN_IT -> Any service -> To = LAN_FAKE, map destination: change destination to : Internal (network 192.168.2.0/24)
I setup also my IPsec site-to-site vpn connection with gateway PSK and IP Gateway.
It doesnt work at all. on the logs I see that :
packet from xx.xxx.xxx.xxx(my gateway public ip): initial Main Mode message received on 192.168.2.1:500(client firewall) but no connection has been authorized with policy=PSK
When I read this I suppose there is a problem with psk but the psk are the same between my firewall and the client firewall with vpn config.
I don't understand what is wrong...
Any idea ?
Salut and welcome to the UTM Community!
You will want to consult How to tunnel between two UTMs which use the same LAN network range and More VPN between same subnets.
If you're having trouble getting a tunnel established:
1. Confirm that Debug is not enabled. 2. Disable the IPsec Connection. 3. Start the IPsec Live Log and wait for it to begin to populate. 4. Enable the IPsec Connection. 5. Copy here about 60 lines from enabling through the error.
Cheers - Bob
I think I've found the fix by recreating and check SNAT/DNAT... the day after the vpn was working fine... maybe a delay...
Well its all fine now.