Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 4101 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site IPSec VPN Mesh

Ajay Sharma1

I'm having ILLs 6Mbps at 10 branch Locations with Sophos (XG105-115)/ Cyberoam (25ing-50ing) Firewalls. Currently I'm having IPSec tunnels towards HO (2 ILLs with 25 Mbps with Sophos XG330) from all the 10 locations (HUB-SPOKE) and using same as Backup link. but at times the branch locations also require to connect each other. Is there any way I can create a Mesh / Star / Any-Any topology using IPSec tunnels. So that all the locations are connected to each other.

 

Any KB / article or if someone have achieved this, please guide me.

 



This thread was automatically locked due to age.
  • 0

    Hi Ajay,

    the only way is to manualy configure an IPsec vpn between each site.

    You'll need to connect every branch wit nine other branches (in total 55 VPN Definitions).

     

    unfortunately (or luckily) there is no comfortable way to do this automaticaly.

     

    Yours Lukas

    lna@cema

    SCA (utm+xg), SCSE, SCT

    Sophos Platinum Partner

  • 0 in reply to lna

    Hello Lukas,

     

    Thanks for the suggestion, that's what I thought first. but wouldn't there be any way with dynamic routing OSPF/BGP etc. Sonic Firewall does support this.

    Also, the fact that would XG330 might take the processing load of so many IPSec tunnels but would XG105 be able to do so. Also, the monitoring and configuration would not be that simple. I may be wrong on this line, just a thought.

    I feel there should be a feature for IPSec VPN Mesh.

  • +1 in reply to Ajay Sharma1

    Maybe you could replace IPsec with RED Site to Site and use BGP/OSPF.

    You would start with choosing 2 HQs (bigger Appliances), which all Sites uses to build up a Site to Site and afterwards all routing will be done with OSPF/BGP. 

    RED is a Layer 2 (MPLS Like) Protocol. 

    So after all you will have per Site only two Site to Site RED Connections. 

    And the HQs will have X (How many Sites you have). 

    Keep in mind - You can use only one HQ, but this will break in case this HQ will go down. 

    __________________________________________________________________________________________________________________

Unfiltered HTML