Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 7188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use VPN over LTE as backup for layer 2 line.

Philipp Thielke

Hi,

there are already some posts with great explainations regarding VPN as a backuo for MPLS or layer 2 links.

My situation is slightly different and I would appreciate if anybody has an idea for a best practise solution.

There are two UTMs. One in an office and one in a data center.

The office has no local internet access for regular usage but is linked via a layer 2 connection to the data center. All traffic goes through Layer 2 link from office to dc. Including internet.

The office has a LTE router with limited but sufficient monthly traffic to set up an emergency use VPN if layer 2 connection goes down.

There is no need to route any internet traffic to local ISP in office. From datacenter only traffic to office should be routed to office. No need to use office LTE internet in any case from dc.

Office Lan is 10.0.20.0/24 with interface 10.0.20.1 on UTM2. Uplink interface as default gw with 10.0.100.3/30 connected to Layer 2 link. Interface LTE with 192.168.0.2/24 is linked to LTE router.

Datacenter Lan is 10.0.10.0/24 with interface 10.0.10.1 on UTM1. Interface 10.0.100.2/30 connected to Layer 2 link. Interface Internet with certainpublicip is linked to datacenter ISP.

Thanks in advance!

Kind regards

Philipp



This thread was automatically locked due to age.
  • +1

    Hallo Philipp and welcome to the UTM Community!

    It's possible to use an IPsec site-to-site for this, but a RED (Remote Ethernet Device) connection is easier.

    In UTM 1 (DC), create a RED Server and download the Client to be used in UTM 2.  Create an Interface using the reds0 virtual NIC and assign it (for example) 172.31.1.1/30.

    Upload the Client to UTM 2 and create an Interface using the redc0 virtual NIC, assigning it 172.31.1.2/30 with default gateway of 172.31.1.1.  Make a Multipath rule in the first position binding 'Any -> RED -> {public IP of UTM 1}' to the LTE interface.  In the second position, make another rule binding 'Any -> Any -> Any' to the Interface connected to the layer 2 link.  Finally, create a Masquerading rule '{Office LAN} -> {RED Interface}'.

    I don't think I forgot anything - did that work?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    thank you for your advice. I'll try and give you a feedback.

    The UTM in Datacenter is a software appliance with a limited license of network users. IPs in connected RED networks affect licese counters on RED host UTM. How will a fully licensed connected UTM influence the license counter on the host UTM?

    Cheers

    Philipp

  • +1 in reply to Philipp Thielke

    In my example, 172.31.1.2 will be the only additional IP counted as all traffic from the office LAN will be masqueraded.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    it took me longer than expected to test your suggested approach. Sorry for that.

    Overall it works brilliant. I just had to add a static route on datacenter UTM towards branch UTM.

    I even managed to configure traffic to be routed directly through the transfer net of the layer 2 link when it is present instead of routing it through the RED tunnel in any case. Seems to increase throughput in high load situations. It took a while to manage priorized routing for this case. For routing from branch to dc the multipath rules do a good job. For routing from dc to branch I had to learn that you may not define multiple static routes for the same target with different metrics. But defining a gateway route with an availability group as a target seems to work. Would you agree that this is the right approach?

    Thanks again.

    Cheers

    Philipp

  • 0 in reply to Philipp Thielke

    I would have thought that Interface routes with different metrics would work, Philipp, but your solution is just as elegant.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML