This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Double Redundancy in IPSec Site-to-Site Tunnel with static and dynamic IP-Adresses

I'm trying to wrap my head around a Problem that a customer of ours brought up to me.

He has a Central-IT that has a 100M syncronous Line with static IPv4-Adress(es) and a 50M V-DSL Backup-Line with a dynamic public IPv4-Adress. In the central office they have two SG230 in HA Active-Standby.

Additionally they have a Branch-Office with only 5 Users (Customer-Managers) that have two SG115 (active-Standby HA) that is only connected via IPSec to the Central-IT. No extra Internet-Access. The customer chose the two SG in HA over a REDxx. Here he has a 10M synchronous Line with static IPv4.

Last week the Line was killed by an excavator and the repairs took 3 days!!! so their Customer-Managers had to drive 90km for their work to the Central-Office... Long Story short: They have to build up a Backup via LTE/UMTS. (seems that Managers can get really angry...)

Because there is a Sophos HA-Cluster on the remote Site i thougt of using a LTE-Router (eg. TELTONIKA RUT-950) because of the easier integration into the system (only Interfaces and no UMTS-Stick-Hardware), and he only needs one SIM-Card and one good Router (Have used this already 4 Times and never gave me a Headache - just for regular Internet-Access).

The Multipath-Rules basicly are not my problem (i know how to configure them), but the IPSec-Tunnel gives me headaches (a lot).

The Customer wants me to create a solution that uses the Static-IP-WAN-Connections as Primary-IPSec Connections and automatic Fallbacks on BOTH sides of the tunnel with the dynamic-IP-WAN-Connections.

4 possible Connections:
1. default (static-to-static),
2. Remote static to Central dynamic,
3. Remote dynamic to Central static and
4. remote dynamic to central dynamic

Is this possible? Please give me any of your ideas.

 

My Thought were something like the following:

1. Central IT: Create a WAN Availability Group containing the following >> Static WAN Conn + >> DynDNS-Host of dynamic WAN Conn (for auto resolv.)
- Multipath rule to check Static IP of Remote-GW and some others aka. Google & amazon >> if IF down aktivate dynamic WAN Conn.
- Site-to-Site use Availability-Group as local GW Adress &
- create a Availability Group for the Remote-Office containing the "static IP" and the "dynamic DNS-Host" of the Remote-Office

2. Remote Office: Create a WAN Availability Group containing the following >> Static WAN Conn + >> DynDNS-Host of dynamic WAN Conn (for auto resolv.)
- Multipath rule to check Static IP of Remote-GW and some others aka. Google & amazon >> if IF down aktivate dynamic WAN Conn. (here Connection to the UMTS-Router)
- Site-to-Site use Availability-Group as local GW Adress
- create a Availability Group for the Central-Office containing the "static IP" and the "dynamic DNS-Host" of the Central-Office

3. Change Remote-GWs in both IPSec-Configs to Adress the Remote-availability-Group (containing the Remote static IP AND the Remote dynamic IP DNS-Host Name).

Your Ideas?
Will this work?

Have you tried something like this?

Will this all die because (correct me if I'm wrong) i thought that a UMTS-Router will normally get only a IPv6 Adress in Germany? (Network provider can be chosen freely if you know one that provide IPv4 - if needed)

Chances to resolve this Problem?

Will the automatic Fallback work?

Is there already a complete setup guide / best practices guide that i overlooked.

Thank you all for your Help and Input.

Franz



This thread was automatically locked due to age.
Parents
  • You're on the right path with the availability group, however you use those on both sides of the connection to define the "remote" gateway. For you local connection you can create an Interface group under interfaces, where you can group the Static and dynamic internet connections. This interface group is what you use as your "local" interface on both sides.

    Another option that may work but which I never tested is the following:

    Just create 4 IPSEC connections and bind them to the local interface (otherwise you cannot create multiple IPSec connections between two networks). You can then define static routes with different metrics for the 4 connections. Probably you only want the static-static connection a lower metric and the 3 other connections are all "equal" I guess they may all use the same (but higher) metric as the static-static connection.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • You're on the right path with the availability group, however you use those on both sides of the connection to define the "remote" gateway. For you local connection you can create an Interface group under interfaces, where you can group the Static and dynamic internet connections. This interface group is what you use as your "local" interface on both sides.

    Another option that may work but which I never tested is the following:

    Just create 4 IPSEC connections and bind them to the local interface (otherwise you cannot create multiple IPSec connections between two networks). You can then define static routes with different metrics for the 4 connections. Probably you only want the static-static connection a lower metric and the 3 other connections are all "equal" I guess they may all use the same (but higher) metric as the static-static connection.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • Thanks Apijnappels,

    the hint with the interface-group is a killer.

    Took me about a day to fully understand, but yeah its great!

    Tried everythin in my test environment, but now the customer doesn't want it any more... :-(

    That doesn't matter to me. I learned something. This is great.

    Thank you againt.

    Franz

    Sophos Certified Architect - UTM
    using Sophos UTM since Astaro ASG v7 ;-)

    PDV-Systeme GmbH est. 1985 is
    Gold Solution Partner since 2009