VPN: Use "additional IP's" for Tunnels
We have multiple IP's from the provider, and have one as the main Interface IP along with 4 others as "additional" IP's. We cannot make a VPN tunnel using the additional IP's, as only the physical interface is supported. Would be great to be able to terminate against one of the others.
Samuel Heinrich commented
the only workaround i found so far is:
- Use another physical with the desired IP address and connect it physically, in addition to your primary interface, to the router/wan switch. I recommend using a /32 mask. you should be able to use that interface in your vpn config.
Maybe it's also possible to DNAT/SNAT the IKE/IPSec Traffic from your additional interface to your primary interface. it's worth a try at least.
Nathan Lock commented
6 years on and not implemented. Sophos don't actually do anything with the ideas here.
We have a block of 16 ip's and we would really like this functionality to happen
IT Promo commented
I have the same problem. This feature is causing me a great problem. I hope you include this feature quickly in the UTM
Ewen McNeill commented
FWIW, this also got in the way of our deployment too -- we wanted to use a routed IP for the VPN endpoint, rather than a a "fewer-failover-paths" linknet. It's possible to use IPSec/Advanced to specify the "leftid" (ie, for IPSec VPN auth), but still does not seem to be possible to specify the "left" (ie, the IP address of the local endpoint), even though the underlying IPSEC software (strongswan/pluto) recognises the "additional address" IP as an available one that it is listening on.
Yes, this is a missing feature that is available in TMG. Just slowed my deployment.
Marcel Jauernig commented
On SSL-VPN it is possible to use the additional IPs. This option should be normal for every VPN type.
But it is still missing for PPTP, L2TP, IPsec, HTML5 and Cisco!
Keren.. yup. This is a dead horse. The setting the "IP Address" on the "right" could be resolved with this idea: (http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/2506490-expand-ipsec-conf-control-to-webadmin) but as Sophos has not bothered to invest in the VPN side of things obviously, we have ditched it and replaced with just a Linux VM running the current version of StrongSWAN (which Sohpos uses an ancient version of)
Keren Dong commented
We run into the same problem. This is serious as it affects how the IPSec configuration picks up local VPN ID when set it to "IP Address". There is no way to make this right (it always picks up the internal IP instead of the public external one that we want to use).
Markus Joosten commented
I honestly cannot believe that this has not been implemented yet.
It should be possible to choose an additional ip address as local endpoint for an IPsec VPN tunnel.
Chris Kent commented
Same problem. This may force a vendor change for my client.
All other Vendors does this already, Lost a easy case just because of this
I ran into the same problem.
Added a secondary IP to a external interface, and there is no way to select it as the source for IPsec packets leaving the UTM.
Slightly adjusted description to ensure his request was appropriately posed.
What do you mean here? Are you talking about configuring a public IP for the remote side as the protected network?
This is already possible. Or are you asking for something else?