IPsec vpn failover between 2 XG with both 2 WAN connections

What is the correct way to configure IPsec VPN with failover between 2 XG firewalls with both 2 WAN connections.

I configured 4 IPsec tunnels (the 4 possible situations) and put those 4 on both sides in a failover groups, but failover is not working stable this way.

During failover both XG firewalls try to bring online IPsec tunnel one by one, so you need some luck that both try the correct tunnel at the same time.

  • Hi Stefan,

    As per my own troubleshooting and help from Sophos Support, we have discovered the best way to implement a proper IPsec failover solution is to only have your Failover groups on the Branch Office side(The one doing the initiation of the connection). Activate all four tunnels on the Head office side, then create a failover group with all 4 ipsec tunnels in the correct order on the Branch office side and switch it on. That should be it.

  • In reply to Barend Botes:

    Barend Botes

    Hi Stefan,

    As per my own troubleshooting and help from Sophos Support, we have discovered the best way to implement a proper IPsec failover solution is to only have your Failover groups on the Branch Office side(The one doing the initiation of the connection). Activate all four tunnels on the Head office side, then create a failover group with all 4 ipsec tunnels in the correct order on the Branch office side and switch it on. That should be it.

     

    I find this to be the best method. Unfortunately, we get a red VPN icon which confuses us with the amount of VPN connections we have. I wish there was a way to assign the VPNs for a site in a group still but not be part of the failover, that way the icon remains green so long as 1 of the 2+ connections is there.