1 Reply Latest reply on Aug 27, 2012 4:59 PM by rcamm

    UTM310 IPSEC tunnel help

      Hello I am trying to repair a central-branch office IPSEC tunnel between two UTM310's.  Both are behind SMC cable modems.  Central office has static WAN IP passed through from cable modem, branch office WAN IP is dynamic.  Both SMC cable modems were recently replaced by Comcast and the tunnel went down.

       

      I assume this is because I will need to recreate a pinhole, or port forward on the cable modem into the UTM at the Central office?

       

      1.  May I simply point a DMZ host to the static LAN IP of the UTM310 at Central office to act as host?  Or will I need specific pinholes/port forwards/protocols/ports opened?

       

      2.  Can I leave the Branch office SMC cable modem in factory state (as the Branch office UTM will establish the tunnel out to Central office UTM via route established in question #1?)

       

      3.  The Central branch UTM has static LAN IP assigned, the Branch office gets LAN IP dynamically from the Comcast modem.  Will this work this way?

       

      4.  In troubleshooting the tunnel deleted the IPSEC settings/tunnel and am starting from scratch.  May I simply follow the typical example in the user guide's settings if the SMC cable modems are configured as outlined in questions #1 & #2?

       

      I did modify the previously functioning tunnel to use static WAN IP on the Central and dynamic on the Branch about one year ago to save money on the branch office cable account.  

       

      Message was edited by: bmdaia on 8/26/12 7:58:46 AM CDT

       

      Message was edited by: bmdaia on 8/26/12 8:07:06 AM CDT

       

      Message was edited by: bmdaia on 8/26/12 8:07:49 AM CDT
        • 1. Re: UTM310 IPSEC tunnel help

          Yes, you need to port forward UDP 500 at the static IP end  to the UTM WAN IP, as I assume the SMC's is performing full NAT

           

          1. Yes, simply point the dynamic end at the head office static IP with the port forward mentioned above

          2. specify the remote and local ID's using an @ symbol...as per the user manual

          3. yes, if you use ID's as mentioned above

          4. yes

           

          Knowledge base article KB62286 may assist, but the user manaul should have all you need.