This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues setting up Azure IPsec site-to-site VPN with automatic failover

Hi guys and girls,

I'd like to configure 2 IPsec VPN tunnels to Azure over 2 WAN links so that if a WAN link fails, it automatically fails over to the second IPsec tunnel. On the Azure side it would be configured to use BGP so that the routes are advertised on the correct tunnel for both sides. Configured it using the following.

Sophos (v19.5.1): 2 tunnel interfaces (xfrm), each specified as a gateway without health check so it can be used with SD-WAN

Azure: 1 virtual network gateway and 2 connections, one for each tunnel interface

On the Sophos side the route to Azure is set up as a SD-WAN route. The thing is, I'm not able to ping the Azure BGP IP address, nor a TCP connect with port 179, nor anything else (a VM or ADDS or something) using this xfrm interface. How would I be able to configure 2 IPsec connections to 1 virtual network gateway so that it will failover automatically? The only other posts I can find about this exact topic are all closed and have no response about how to solve it.



This thread was automatically locked due to age.
Parents Reply Children
  • Hi LuCar, thanks for your response!

    The Sophos firewall would be needed seperately to the virtual network gateway because our 'standard' is to deploy Azure VPN.

    Because of the extra expense only paid for this failover situation, would there be another possibility in this situation that you'd think, or is the Sophos firewall as VM in Azure the only possibility?