Dear All, I am about to order a Swisscom Fibre business line with static IP addresses. Could anyone comment on whether they have had success in getting an IPSec site-site VPN working in DMZ mode with a Centro Business 2.0 please? In my case, a physical firewall (e.g. Cisco ASA or similar) would be connected to the DMZ port. Swisscom publish a reasonable guide to configuring DMZ mode [here](http://documents.swisscom.com/product/1000260-Connectivity_Geraete_/Documents/Spezifikationen/Centro_Business_Mail_Webserver_SecurityGateway_in_der_DMZ_betreiben-en.pdf). There is also a PPPoE passthrough option, but it prevents anything except LAN port 1 from working which is a problem in my scenario. If I have to go with the Passthrough option I'll need to order a second line. I found a couple of old posts in German suggesting there might be issues with the ALGs routing the ESP/IP Protocol 50 traffic from the DMZ port, but that was back in 2015 and a different router hardware and firmware. Any comments or advice would be greatly appreciated. Regards James.

Site to Site IPSec with Centro Business Fibre Router

brownjam

Dear All,

I am about to order a Swisscom Fibre business line with static IP addresses. Could anyone comment on whether they have had success in getting an IPSec site-site VPN working in DMZ mode with a Centro Business 2.0 please? In my case, a physical firewall (e.g. Cisco ASA or similar) would be connected to the DMZ port.

Swisscom publish a reasonable guide to configuring DMZ mode here. There is also a PPPoE passthrough option, but it prevents anything except LAN port 1 from working which is a problem in my scenario. If I have to go with the Passthrough option I'll need to order a second line.

I found a couple of old posts in German suggesting there might be issues with the ALGs routing the ESP/IP Protocol 50 traffic from the DMZ port, but that was back in 2015 and a different router hardware and firmware.

Any comments or advice would be greatly appreciated.

Regards

James.

brownjam

All,

Just to confirm I tested IPSec tunnelling over the supplied Centro Business 2.0 modem/router. I think this is a rebadged Cisco box.

Two modes were available - IP Passthrough and PPPoE passthrough. It worked fine with either but I prefer the PPPoE option as it's not entirely clear to me what the other mode is doing at the wire level. ESP and IKE traffic are flowing in both directions with no issues.

I hope this will assist others.

Regards

James.