topic Re: VPN to 730 appliance behind Google Fiber static IP in Spark Firewall (SMB)

VPN to 730 appliance behind Google Fiber static IP

Dick_Summers — Mon, 26 Nov 2018 04:54:46 GMT

My client has Google Fiber with one static IP address. The Google Fiber modem public IP NATs to a 10.0.0.0 address, to which the 730 WAN port is connected. I have been unable to get a VPN connection through this configuration to the 730, the VPN client shows the site is not responding.

Any ideas or experience with this setup?

Re: VPN to 730 appliance behind Google Fiber static IP

G_W_Albrecht — Mon, 26 Nov 2018 12:02:37 GMT

Question is: Who is the VPN peer ? Usually, this is a valid configuration and VPN should work as expected. Some limitations can be found in sk121758: R77.20.75 for Small and Medium Business Appliances:

The external IP address of the gateway is also part of its local VPN encryption domain by default. This may cause conflicts with IP addresses of peers when the gateway is behind NAT or uses a dynamic Internet Connection IP address.

To exclude the external IP of the gateway from the encryption domain, use this Аdvanced setting: "VPN Site to Site global settings - Do not encrypt connections originating from the local gateway".
For the Permanent VPN Tunnels feature to work properly in this mode, use the Аdvanced setting: "VPN Site to Site global settings - Perform Tunnel Tests using an internal IP address".

Re: VPN to 730 appliance behind Google Fiber static IP

Pedro_Espindola — Mon, 26 Nov 2018 17:43:43 GMT

I have a similar setup. I used the DMZ option in the ISP router to send all incoming traffic to the WAN interface of the gateway. Both site-to-site and remote access VPN work well.

I had issues with VPN from mobile devices. The solution was to set the client to use SSL instead of IPSec, but if I remember correctly the site responded and connection was successful, but traffic to the encryption domain failed.