This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to do Backup VPN with Sophos UTM 9.x more detailed than KB 118975

How to do Backup VPN with Sophos UTM 9.x more detailed than KB 118975

 

The method (work with 1:n and n:n) I will show you here will let you define a more detailed backup vpn than described in the KB 118975. In the knowledge base article, you are limited to the order of the interfaces defined in Uplink Interfaces. But here you can use every order you want. This will even work with layer two site-to-site connections over WAN.

Network Overview:

 

Now here I show you the required steps for a backup vpn with layer two site-to-site connection over WAN.

  1. Preparations

Make an interface on the UTM for your layer two connection. Use a net mask for a transfer net (255.255.255.252 or /30).

Site-1:

Site-2:

Make sure default gateway is ticked and the IP-address is the neighbor of the transfer net.

 

Next we create an interface group on each site with the order we want to initiate the vpn:

Site-1:


Site-2:

 

 

When we take a look at our uplink interfaces it might look like this:
Site-1:

Site-2:

To avoid that internet traffic is going over the layer two connection we need create an multipath rule that looks like this:

This must be done on both sites. Put this rule on bottom if you have already some multipath rules.

 

Now we must solve the problem with the interface error on our layer two connection.

To do this we make a nat rule for the interface address of each site.

Site-1:

Important is the source translation. Here make an availability group like this:

Site-2:

Now the interface error should be gone and we can start to configure our vpn.

  1. Configure the vpn

Site-1:

Remote gateway config:
Here you can see that I choose an availability group on gateway and defined the order of gateways I want to use for my vpn -> 1. EC 2. Internet 1 3. Internet 2

IPSec config:
Under local interface choose the interface group you defined for the vpn

Site-2:

Remote gateway config:
Easy configuration here. Take respond only with the psk option and the remote network.

IPSec config:

Now you have a functional backup vpn with your order and even over layer 2 site-to-site connection.

Feel free to ask some questions :-)

If you read this post and haven't seen any pictures, my fault.

I will fix this
Best Regards

DKNL

 



This thread was automatically locked due to age.
Parents
  • Hi DKNL, thanks for your great article.

    have a new challenge, is it possible, if go down one inet line tu a site, redirect inet traffic ower the vpn to a noder site??

    Best Regards

    I

  • Hi,

    are you talking about the same infrastructure?

    In general it is not possible to say that if uplink 1 (internet local) down send internet traffic over the vpn.

    You only have the option to send internet traffic alway or never over the vpn.
    To send internet traffic over vpn you have to set the remote network to any(0.0.0.0)

    There is an option in UTM, that is called uplink monitoring where you can say if uplinks go down enable vpn tunnel.
    You cannot define which uplink must be down.
    But in this scenario it is not possible to do this because the transfernetwork is also an uplink.
    So the action you defined there would never match because uplink 2 is online.

    There is no option to say set remote network to any if uplink 1 goes down.

    Back to this infratructure you can do this without vpn and multipath routing.

    You have then set an multipath rule which says

    Source: Internal Networks
    Service: Web Surfing
    Destination: Internet
    Bind to Interface: Uplink local
    Skip Rule if interface error: check

    On the remote Site you have to set SNAT and FW-Rule for the networks that come from the vpn, that they can send traffic to the internet.
    It is similar to the SNAT Rule for the transfernetwork to get the error away.

    So when Uplink 1 goes down, Uplink 2(transfernetwork) is used to send any web surfing requests to his default gateway(transfernetwork ip remote site).

    Best regards
    DKNL

  • Ahah!  DKNL had a name change - now I see who it is!

    Have you seen Michael Klehr's Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE)?

    It's an instantaneous failover and can also answer Sven's question from Dec. 2016, above.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Micheal Klehr's is not instantaneous failover. There is also ping lost during the switch over. and works only with uplink interfaces. (I know this KB ;) )

    MPLS Lines are "normaly" not definied as uplink interfaces, so that you cannot use them für multipath rules.

    So how would you configure the UTM that MPLS is primary link to branch and if this link goes down initiate IPSec to branch?

    The only thing I have in mind is to use dynamic routing and IPSec with bind tunnel to local interface.
    But I have not done this.
    Found this from Michael but this needed connection from Sophos to Sophos.
    https://www.klehr.de/michael/sophos-utm-ospf-ueber-einen-vpn-tunnel-nutzen/

    One other thing ist that Sven does not want IPSec over the MPLS Line.

    And yes I switched my name or rather merged two accounts together. :)

    Best Regards
    DKKDG

  • I haven't been able to reach Michael's site for awhile.  Are you?  I get "try again later."

    "The only thing I have in mind is to use dynamic routing and IPSec with bind tunnel to local interface."

    I think I did this with static routes, but it's been over a year ago and I can't remember.  I'm confidant that I wouldn't have used OSPF as Michael's article suggested.  The has since replaced MPLS with a second full connection in each site from a different provider.  If you do try this, I'd be interested in reading your results.

    Cheers - Bob
    PS Yes, "Virtually" instantaneous. :)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I haven't been able to reach Michael's site for awhile.  Are you?  I get "try again later."

    "The only thing I have in mind is to use dynamic routing and IPSec with bind tunnel to local interface."

    I think I did this with static routes, but it's been over a year ago and I can't remember.  I'm confidant that I wouldn't have used OSPF as Michael's article suggested.  The has since replaced MPLS with a second full connection in each site from a different provider.  If you do try this, I'd be interested in reading your results.

    Cheers - Bob
    PS Yes, "Virtually" instantaneous. :)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data