Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
652 Views 2 Replies Latest reply: Jan 3, 2012 3:27 AM by armalite RSS
armalite Newcomer 18 posts since
Dec 14, 2011
Currently Being Moderated

Jan 2, 2012 9:31 AM

Multiple external Interfaces on sidewinder 8.2

Hi List,



i have read this thread: and i have a similar problem.


Ich have two clusterd interfaces with different subnets connectet to the internet on my sidewinder.


First is for all outgoing and incomming traffic except the branch office VPNs. here is the default Route locatet. The second interface is for VPN Traffic from branch offices. External Interfaces (snapgears) of the branch offices don't have fixed IPs.


But i think, all the incomming VPN raffic is routet back over the  first interface (default route) so i can't establish the VPN Tunnel (UDP Traffic).



How can i analyse / fix this.


sliedl says in this tread   "The inbound traffic is fine because it will be routed back out that interface that it arrived on (the INBOUND interface)."





thx in advance




  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Jan 2, 2012 6:01 PM (in response to armalite)
    Re: Multiple external Interfaces on sidewinder 8.2

    If the branch offices do not have fixed IPs there is not much you can do about this on the firewall.


    You need to add a route on your firewall that directs all traffic to the destination IPs of these VPNs to be forwarded to some IP address that is reachable from your second interface (i.e. the IP address of some device connected to your firewall's second interface).  Any traffic that is arrives FROM these branch offices needs to arrive on this second interface also (e.g. the traffic needs to be routed to you over this second interface by other devices outside of your firewall).  That should happen anyway as the destination IP of packets from those branch offices would be the IP of your second interface and should come in on that interface.


    The firewall cannot route packets based on policy (i.e. HTTP traffic goes out this route and VPN traffic goes out this other route).  It can only route packets based on destination address.  Every time the IP address of the branch office changes you would have to change the route on the firewall.

More Like This

  • Retrieving data ...

Bookmarked By (0)


  • Correct Answers - 5 points
  • Helpful Answers - 3 points