IPsec vpn failover between 2 XG with both 2 WAN connections

What is the correct way to configure IPsec VPN with failover between 2 XG firewalls with both 2 WAN connections.

I configured 4 IPsec tunnels (the 4 possible situations) and put those 4 on both sides in a failover groups, but failover is not working stable this way.

During failover both XG firewalls try to bring online IPsec tunnel one by one, so you need some luck that both try the correct tunnel at the same time.

  • Hi Stefan,

    As per my own troubleshooting and help from Sophos Support, we have discovered the best way to implement a proper IPsec failover solution is to only have your Failover groups on the Branch Office side(The one doing the initiation of the connection). Activate all four tunnels on the Head office side, then create a failover group with all 4 ipsec tunnels in the correct order on the Branch office side and switch it on. That should be it.