Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Site to Site VPN on specific WAN IP

Good morning, 

I have a small problem, and I would like to have the best possible approach. 

We have a sonicwal TZ670 with a wan interface having a block of public ip ( 6 in total). 

We want our VPN tunnel (ike/esp etc..) to go through a specific wan ip. 

What I've already done: 

- created a static ARP entry

- object creation

- created a NAT policy to send ike traffic out to the specific WAN ip. 

Unfortunately, the tunnel tries to go up on the primary ip (defined in the WAN interface) and not on the desired public ip. 


Thank you

Category: Mid Range Firewalls
Reply
Tagged:

Answers

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    You don't mention the IKE ID, this defaults to the IP of the interface it's on. Try manually setting it? But I suspect that what you're asking for isn't possible.

    If you explain why you're trying to do this, we might be able to suggest a better approach.

  • bchervybchervy Newbie ✭

    Thank you for your quick reply. 


    The IKE ID set is the outbound ip I want. 

    on the WAN interface, the ip is for example: 1.1.1.2

    the second IP (assigned by the same ISP): 1.1.1.3


    I want the site-to-site vpn to exit via ip 1.1.1.3 (IKE negotiation, ESP etc). 

    The remote partner expects to receive IKE packets from the public ip 1.1.1.3.

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    Maybe someone else knows better, but like I said, I don't think it's possible.

    You will probably find it easier to change the interface IP of the firewall than to work around this.

  • prestonpreston Enthusiast ✭✭
    edited November 2023

    Hi @bchervy, @Arkwright is correct you can only terminate the VPN on the Interface IP,

    can you not swap the IP addresses around and have 1.1.1.3 as the WAN IP?

    you can still use the 1.1.1.2 IP for port forwarding if you currently have these set up you would just need to amend the NAT and Firewall rules to point to the address object 1.1.1.2 instead of the X1 IP (presuming X1 is the WAN Interface)

Sign In or Register to comment.