Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 5 subscribers
  • Views 5797 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Redundant site-to-site AWS VPN with redundant UTM WAN Links

KevinZ

For over a year I have had great success in using site-to-site VPN from my office (SG230) to AWS VPCs (6 of them) using BGP.

I now have brought in a second internet connection to the office and configured it in Active/Active mode on the SG230 for internet access. I now want to use that second internet connection to establish a redundant VPN connection to the AWS VPCs so that if WAN1 goes down the VPN tunnels to AWS will continue to function on WAN2.

I tried establishing 6 new VPN connections on the secondary link and I did not have stable results (connection drops) so I had to back it out.  As best I can tell there was some problem with the BGP.

Has anyone successfully configured something like this?  For the AWS part of the configuration, should the customer gateway I configure for WAN2 use the same BGP ASN as WAN1?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Dan Hansen

    Hi Dan,

     

    I haven't had a chance lately to work on this.  I think my next course of action will be to try again and work with AWS support while the issue is happening.  If you end up getting this to work please respond back with the solution.

  • 0 in reply to KevinZ

    Hi Kevin,

    Thanks for the response.  I will post my results once I get a working solution up and running.  

    I'm tasked with moving our production ERP into AWS and there is no way I can do that without a solution that addresses primary internet failure at my on premise location. 

     

    Cheers,


    Dan 

  • 0 in reply to Dan Hansen

    Hi Dan,

     

    Were you able to get this working? If so, can you post the solution?

     

    Kevin

  • 0 in reply to KevinZ

    I have a work-around for the time being but it doesn't involve an automate failover although it's a fast manual failover.  Well, it could be automatic but I didn't trust my config.  

     

    Create a second customer gateway in AWS pointing to the static IP of your secondary internet connection.  I label each of my gateways with the name of the ISP they are pointing too in AWS.  I create a second site to site VPN in AWS using the second customer gateway I've just created. 

    One the Sophos UTM side I create a second site to site VPN using the BGP template from the new AWS VPN.

    I did in fact test and have both of these VPN's running at the same time.  I'm not much of network guy but I was nervous having two VPN's terminating to the same AWS subnets.  It seemed to work and the the primary site to site VPN continued to be used for sending traffic across with the secondary vpn online.  When I shut down the primary sophos interface to test after a few pings things went across the secondary connection.  That said I had no idea how the UTM decided which VPN to send traffic across when both were online or how AWS resources decided to send traffic back. 

    I haven't dug into it too much more but I have just turned off the second site to site VPN in my UTM and left the second VPN active on the AWS side.  In the event of a primary internet outage I get an alert on my phone so getting things back online is as easy as logging into the UTM and turning on the second site to site VPN connection.  Everything comes back almost instantly for me.  

    I'm in a smaller environment that can tolerate a mintue of two of connectivity loss.  I have bigger risks to mitigate in my network but one day I would like to circle back and get this working seemlessy. 

    Hope that helps.

     

     

     

     

     

Unfiltered HTML