I'm about to manage a new client infra and I'm not very friendly with sophos (used to Zyxel...).
Well the client is using an internal subnet which is already used by another client, so I can't configure a vpn site-to-site because of that.
I wanted to setup a SNAT to translate the new client subnet into a fake subnet then route that subnet to the vpn site-to-site with my other firewall.
With Zyxel its quite easy to setup a SNAT but for unknown reason here I cant make it work...
Few informations :
- client subnet is : 192.168.2.0/24
- LAN_FAKE: 10.50.2.0/24
- LAN_IT (subnet behind my firewall): 192.168.200.0/24
I tried to setup a 1:1 Nat map source with : From = Internal (network) -> Any service -> To = LAN_IT, map source : change source to : LAN_FAKE (10.50.2.0/24)
Enable automatic firewall rule.
Did the same with a 1:1 Nat map destination for reverse requests : From = LAN_IT -> Any service -> To = LAN_FAKE, map destination: change destination to : Internal (network 192.168.2.0/24)
I setup also my IPsec site-to-site vpn connection with gateway PSK and IP Gateway.
It doesnt work at all. on the logs I see that :
packet from xx.xxx.xxx.xxx(my gateway public ip): initial Main Mode message received on 192.168.2.1:500(client firewall) but no connection has been authorized with policy=PSK
When I read this I suppose there is a problem with psk but the psk are the same between my firewall and the client firewall with vpn config.
I don't understand what is wrong...
Any idea ?
I think I've found the fix by recreating and check SNAT/DNAT... the day after the vpn was working fine... maybe a delay...
Well its all fine now.