XG to XG RED VPN With Multiple WAN interfaces

Hi folks,

 

Could someone has ideia if is it possible create a RED VPn between XG devices  using multiple WAN interfaces in Branch and Head office ?

 

 

eg.

H.O WAN 1  ---------------RED TUN 1----------------------------   B.O WAN 1

H.O WAN 1  ---------------RED TUN 2----------------------------   B.O WAN 2

H.O WAN 2  ---------------RED TUN 3----------------------------   B.O WAN 1

H.O WAN 2  ---------------RED TUN 4----------------------------   B.O WAN 2

 

Best regards

 

Carlos

  • I guess, you cannot perform 4 tunnels, but 2. 

    The point is, XG is using a Random Outbound IP, if not specify via CLI.

    https://community.sophos.com/kb/en-us/122999

    But this command relies on the destination.

    So basically you cannot use it 4 times to bind it properly. 

  • In reply to LuCar Toni:

    Hi LuCar Toni,

     

    Thanks by your response.

    Well, I already suspected this, but I would like to confirm :)

    I would be interesting has a option to bind it.

     

    Best regards

    Carlos

  • In reply to Carlos Cesario:

    Lets wrap this topic up. 

    I guess, there is no real "reason" to build up 4 tunnels. 

     

     

     

     

    This is the standard scenario.

     

    On AB you would say, Port1 is reachable with Interface A, PortB is reachable with Interface B. 

     

     

     

    In Case of a Port not reachable.

     

    Question is, what is happening with your DNS? Because the Tunnel A-1 Is not there anymore, you could force XG to build up the Tunnel between A-2 with a DNS record.

    But : Would there be a real use case for this? Because you will have a drop in the "Performance" anyway. 

     

  • In reply to LuCar Toni:

    Hi LuCar, 

     

    The reason to usage 4 tunnels is because I will usage OSPF to routing across these tunnels, I like Ipsec Bind option in Cyberoam OS.

    With this I have total control about the path/routing/failover.

     

    Currently I have several Cyberoam OS devices using this model with IPSEC, and I´m lokking solution to convert it to Sophos XG.

     

    This is the reason :)

     

    Best regards

     

    Carlos

  • In reply to Carlos Cesario:

    Hi Carlos,

     

    You can set up 4 independent RED tunnels. But, if you need to apply Link Load Balancing (not failover), it would be possible with the release SFOS v18. So I think we need to wait for Sophos' SD-WAN feature which will be enabled on version 18.

     

    Cenk

  • In reply to Cenk Tezdiyar:

    Hi  tahnk yu by your feedback.

     

     

    Weel, and how can I do the following as LuCar told

     

     

    Head office Port WAN 1 ------------ Branch office Port Wan 1

    Head office Port WAN 2 ------------ Branch office Port Wan 2

     

    I tried setup firewall rules on Head office allowing the specific traffic comming Branch office port Wan 1 to Head office Port WAN 1 to portas 3400 tcp and 3410 udp, but it seeems there are a global rule that allowing it. 

    I cannot control this traffic.

    Any tip!?

     

    Regards

    Carlos

  • In reply to Carlos Cesario:

    You have to build up two tunnels.

    Tunnel1: XG A is Server, XG B Client. 

    Tunnel2: XG a is Client, XG B is Server. 

     

    https://community.sophos.com/kb/en-us/125101

     

    Client will Always connect. So Basically XG waits on all Interfaces for a Port 3400 connection. 

    You have to Control the Client Site, which interface should be used "outbound". 

     

    The KBA has a small note:

    • If the RED server firewall have more than one WAN interface, a sys-traffic-nat rule is necessary to force a correct NAT for the RED server firewall. This can be done in the XG Firewall's console.

    https://community.sophos.com/kb/en-us/122999

     

    This will more or less build up a redundancy in most scenario. 

  • In reply to LuCar Toni:

    Hi LuCar,

    Thanks again by your great sugestion.

    But sys-traffic-nat, or even static route does not work as expected with RED connections.

    Even using sys-traffic-nat or static route on client side, the RED connect by other WAN interface (outbound interface).  The RED connections does not respect this.

     

    Best regards

     

    Carlos

  • In reply to Carlos Cesario:

    I recently deployed this setup.

    Can you post your sys-nat rule? What did you insert into this rule? 

  • In reply to LuCar Toni:

    Hi LuCar,

    Sure....

     

    On Client Side

     

    sys-nat rule

     

    Network interfaces

     

     

     

    On Server Side

     

     

    As you can see the remote Ip address online is the IP address from Interface port B

     

     

    regards

     

    CArlos