This article describe the steps to use VPN/MPLS as a backup by walking you through an example setup. Please note that the VPN/MPLS failover will only work when MPLS is configured on a WAN zone and not on any other zone. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
For this example, we will be using a hypothetical network where a VPN link and an MPLS link connect a Head Office (HO) and Branch Office (BO).
The Head Office Sophos has been configured with Port A as LAN, Port B as WAN and Port D as WAN. The MPLS link has been terminated on WAN (Port D).
Sophos LAN IP: 192.168.1.254
Sophos WAN IP: 18.104.22.168
Sophos WAN IP: 10.10.10.2 (Connected to HO MPLS router)
The Branch Office has been configured as follows:
LAN IP: 192.168.2.254
WAN IP: 22.214.171.124
DMZ IP: 126.96.36.199 (Connected to BO MPLS router)
The MPLS Link has been configured as follows:
HO Router WAN IP: 188.8.131.52
HO Router DMZ IP: 10.10.10.1 (Connected to Sophos)
BO Router WAN IP: 184.108.40.206
BO Router DMZ IP: 220.127.116.11 (Connected to BO firewall)
Configure the head office to failover to an IPSec VPN link when the MPLS link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the MPLS link comes up again, normal operation will resume.
You can configure the failover to an IPSec link when the MPLS link fails by following the steps mentioned below.
Refer to the article Sophos XG Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key for details on how to establish an IPSec VPN connection between HO and BO.
system link_failover add primarylink PortD backuplink vpn tunnel IPSec_Link monitor PING host 18.104.22.168
Syntax: system link_failover add primarylink <MPLSPort> backuplink vpn tunnel <VPNLink> monitor PING host <RemoteIP>
Note: You can also use TCP for monitoring the remote device: Syntax: system link_failover add primarylink <MPLSPort> backuplink <VPNLink> monitor TCP host <RemoteIP> port <RemotePort>
Syntax: system link_failover add primarylink <MPLSPort> backuplink <VPNLink> monitor TCP host <RemoteIP> port <RemotePort>
Configure interface-based routes for the remote network:
Configure gateway-based route for monitored MPLS device
By default, VPN routes have the highest priority in the Sophos XG Firewall (SF). To set the highest priority for static routes, follow the steps below.
system route_precedence set static
The above configuration sets the VPN link as a backup if the primary MPLS link fails.
Configure the Sophos XG Firewall to failover to an MPLS link when the primary VPN link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the VPN link comes up again, normal operation resumes.
By default, SF gives higher precedence to VPN routes over static routes. In other words, when a VPN Link is established, SF gives first preference to the VPN routes. If the VPN Link fails, the traffic is automatically redirected via the static routes for MPLS link.
Note: If the MPLS link is configured on a non-WAN port, for example, between the LAN port on the HO and DMZ port on the BO, add the following IPSec route from the Sophos CLI.
system ipsec_route add net 192.168.2.0/255.255.255.0 tunnelname IPSec_Link
Re-establish the VPN tunnel after adding the IPSec route.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.