Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 2 subscribers
  • Views 30133 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Redundancy for Site-to-Site VPN

redhorse2017

Hello,

I read a lot about redundancy for Site-to-Site VPN but I found no topic which matches my case, so I hope someone can help.

My UTM has one uplink interface and there is an ipsec tunnel to the remotei site which has two WAN interfaces. We have the problem that the VPN tunnel sometimes fails because of routing errors in the WAN infrastructure, then we change the interface/gateway on both sites to the second interface of the remote site and everything works (these are two different provider and it's a known problem).

Now we want to have a automatic failover for that case. The VPN tunnel should be established between my site and the primary WAN interface of the other site and if it fails it should failover to the secondary WAN interface automatically. How can I achieve this?

My idea:

Local Site A:
Local Interface -> A-WAN1
Remote Gateway -> Availabilty Group (B-WAN1, B-WAN2)

Remote Site B:
Local Interface -> Interface Group (B-WAN1, B-WAN2)
Remote Gateway -> A-WAN1

How does the UTM recognize that it has to failover to the second interface in an interface group? Both interfaces have an internet uplink all the time and only the vpn connection fails on the first interface because of the mentioned routing issues.

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hello Redhorse2017,

    there are several possibilities to have a redundancy for s2s-vpn.

    1. Two active vpn connections  (Type:"initiate connection) with load balancing.

        A-WAN1 - B-WAN1 and A-WAN1 - B-WAN2

    2. One active (A - Remote Gateway Type = "Respond only") and Multipath Routing at the site B (IPSEC over WAN1, skip rule on interface error). Uplink monitoring manual with tracking to A-WAN1

    3. (not tried yet) Uplink Monitoring at site A with action "activate IPSec Connection" to B-WAN2

    I did not tried  availability groups with vpn.

    If both B-WAN1 and B-WAN2 have the same speed i would try load balancing.

    Here is a interesting article (sorry in german) :https://community.sophos.com/products/unified-threat-management/f/german-forum/115525/sophos-utm-multiple-s2s-ipsec-vpn-mit-failover-tutorial-de

    and here: https://community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access/55346/multiple-wan-and-vpn-site-to-site-separation-and-failover

     

     

    Good luck

    CS

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to CS

    CS said:
    1. Two active vpn connections  (Type:"initiate connection) with load balancing.

        A-WAN1 - B-WAN1 and A-WAN1 - B-WAN2

    If both B-WAN1 and B-WAN2 have the same speed i would try load balancing.

    B-WAN2 should only be used in case of failure so load balancing is no option. Just for my interest, how would I configure load balancing for ipsec?

    CS said:
    2. One active (A - Remote Gateway Type = "Respond only") and Multipath Routing at the site B (IPSEC over WAN1, skip rule on interface error). Uplink monitoring manual with tracking to A-WAN1

    That was my idea, too. But uplink monitoring is a global option, isn't it? It would be great to have an uplink monitoring just for this ipsec connection because there are several ipsec vpns and services used on the remote utm.

     

    Thanks for the links, I knew them already and no matter, I'm German :)

  • 0 in reply to redhorse2017

    redhorse2017 said:

     Just for my interest, how would I configure load balancing for ipsec?

     

    This is the magic box: Bind tunnel to local interface

    Online help says:

    "Bind tunnel to local interface: By default, the option is unselected and all traffic originating from the selected local networks and going to the defined remote networks will always be sent through this IPsec tunnel. It is not possible to have multiple identical tunnels on different interfaces because the selector would always be the same. However, if enabled, the defined IPsec selector will be bound to the selected local interface. Thus it is possible to either bypass IPsec policies with static routes or define redundant IPsec tunnels over different uplinks and use multipath rules to balance traffic over the available interfaces and their IPsec tunnels. Use cases for this setting are for example: 

    • Bypass IPsec policies for local hosts which belong to the remote network through static routes.
    • Balance traffic based on layer 3 and layer 4 with multipath rules over multiple IPsec tunnels or MPLS links with automatic failover.

    Note – This option cannot be used in combination with an interface group."

    This should be enabled at site B.

     

    Good luck!

    CS

     

    PS: Deutsche Antworten hätte ich schneller liefern können ;-)

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to CS

    CS said:
     This is the magic box: Bind tunnel to local Interface

    Danke :) I fear the multipath rule will just check the availability of the interfaces and not of the vpn tunnel. In my case the interfaces were available but the routing to the remote gateway is not possible and therefore the vpn tunnel is down. So I think that I can’t use this option for my requirements.

    Now, just for clarification:

    CS said:
    1. One active (A - Remote Gateway Type = "Respond only") and Multipath Routing at the site B (IPSEC over WAN1, skip rule on interface error). Uplink monitoring manual with tracking to A-WAN1

    I can’t use uplink monitoring in this case just for a vpn connection with user defined targets (A-WAN1)?

  • 0 in reply to redhorse2017

    Hi redhorse2017,

    You must not use the automatic monitoring. Just use the corresponding WAN interfaces of the remote site (Interfaces / Uplink Balancing / Monitoring).

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to CS

    CS said:

    You must not use the automatic monitoring. Just use the corresponding WAN interfaces of the remote site (Interfaces / Uplink Balancing / Monitoring).

    Yes but in this case the remote UTM would failover for all connections of the remote UTM although there is just an issue with the routing to the local WAN interface for that vpn tunnel. That behaviour is not wanted so I need a solution just for this special VPN tunnel.

  • 0 in reply to redhorse2017

    redhorse2017 said:

     Yes but in this case the remote UTM would failover for all connections of the remote UTM although there is just an issue with the routing to the local WAN interface for that vpn tunnel. That behaviour is not wanted so I need a solution just for this special VPN tunnel.

     

     
    Then take a RED15 or RED50 for the Site A and connect it to an new Interface.
    You can configure the RED to make load balancing or failover to B-WAN1 and B-WAN2.
    On site B give the RED-Interface a new transit network and use it with normal routing to site A.
    On site A make a route to site B via transit network.
    So you should have a direct connection between UTM with redundant VPN.
     
    PS: Hab' ich irgendwo schon so in der Art laufen.
     
    CS

     

    Sophos Certified Architect (UTM + XG)

  • 0 in reply to CS

    CS said:

    Then take a RED15 or RED50 for the Site A and connect it to an new Interface.
    You can configure the RED to make load balancing or failover to B-WAN1 and B-WAN2.
    On site B give the RED-Interface a new transit network and use it with normal routing to site A.
    On site A make a route to site B via transit Network.
    So you should have a direct connection between UTM with redundant VPN.

    That looks like a good solution, I will discuss that internally.

    Danke!

  • 0 in reply to redhorse2017

    Danke Jungs, dass ihr das alles auf Englisch besprochen habt - damit werden viel mehr verstehen ! [:)]

    Two thoughts...

    First, the "classic" approach is described in Auto-Failover IPsec VPN Connections and it's exactly as the opening post suggested.

    Second, an SG 115 with Network Protection subscriptions is cheaper, faster and more flexible than a RED 50 with warranty extensions.  A RED 15 does make sense if it's fast enough for the connection speed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to redhorse2017

    Danke Jungs, dass ihr das alles auf Englisch besprochen habt - damit werden viel mehr verstehen ! [:)]

    Two thoughts...

    First, the "classic" approach is described in Auto-Failover IPsec VPN Connections and it's exactly as the opening post suggested.

    Second, an SG 115 with Network Protection subscriptions is cheaper, faster and more flexible than a RED 50 with warranty extensions.  A RED 15 does make sense if it's fast enough for the connection speed.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML