This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site 2 Site IPSec VPN via direct Link (no WAN)

ThorstenSeiler over 7 years ago

Hi Guys,

I have a special configuration request.

We have two Sites with a UTM and a more or less direct connection of two links (via Cat7 and FibreOptics).

The Sites are not really close, so I need to configure a VPN on those Links to prevent a man-in-the-middle possibility.

This is my current Setup:

Site A

-- eth2: 10.10.10.1

-- eth3: 10.10.20.1

Site B

-- eth2: 10.10.10.2

-- eth3: 10.10.20.2

IPSec-VPN between Site A eth2 and Site B eth2, as well as Site A eth3 and Site B eth3 are working...

But Now I want to setup a Multipath or Failover with eth2-connection as primary and the eth3-connection as secondary and this is where I'm stucked.

Has anybody an idea?

Thanks in advance.

This thread was automatically locked due to age.

0 dirkkotte over 7 years ago

would create a LACP Link and run VPN over the virtual interface.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 ThorstenSeiler over 7 years ago in reply to dirkkotte

Hi Dirk, thx for reply.

LACP would be a good idea, but it's possbile that there will be some changes in the future which will brake the LACP possibilitys (Transit-Router-Network inbetween).

Had some Test with Availability- and Interface-Groups on my IPSec-VPN.

Availability-Group switches perfektly fine to the other Gateway defined as primary, but the Interface will not switch...

If primary is up, it's as follows:

Internal-Network --> eth2 -------------- eth2 --> Remote-Network - everything works fine

If primary is down it's like this:

Internal-Network --> eth2 -------------- eth3 --> Remote-Network - VPN doesn't start (of course)

I tried to Bind the Remote-Gateway-Host-Definitions to the respective Interfaces.

I tried static Routes and Uplink-Balancing in different ways.

It's like standing in the woods and not seeing any trees...

Regards,

Thorsten

---------------------------------------------------------------------

Using Sophos XG or UTM with Wifi Hotspot and Password of the Day?
Try our FREE Password of the Day APP!

For Sophos UTM
Apple iOS: https://apple.co/1YzD2vU
Google Android: https://bit.ly/23ELyRq For Sophos XG
Apple iOS: https://appsto.re/de/aZjTdb.i
Google Android: https://bit.ly/2bbimf1
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to ThorstenSeiler

I admit I don't see the picture of where you want to go, Thorsten, but it seems like you're over-complicating this.

"Availability-Group switches perfektly fine to the other Gateway defined as primary, but the Interface will not switch..."

Please show pictures of the Edits of the configuration on both sides - IPsec Connection and Remote Gateway, Interface Group and Availability Group.

Are the direct connections eth2 and eth3 or are they in addition to these two connections? If in addition, would you want the ISP connection in each site to be the third choice for the VPN connection?

Do you want the VPN connection(s) between the sites to provide backup Internet connection if one site's ISP goes down?

Like I said, I can't see where you are or where you want to go. How about a simple stick diagram of now and one of after?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel