how to configure an IPsec VPN failover with 2 gateways on each end

Question

Help me create an IPSEC failover for a headquarters and branch office with 2 gateways each. I would like to create a high availability scenario, as the links in both locations fluctuate a lot.

I thought about doing it like this:

The Branch initiates and the Headquarters responds.

ISP1 (Branch) <> ISP1 (headquarters)
ISP2 (Branch)

ISP1 (Branch) <> ISP2 (headquarters)
ISP2 (Branch)

In this scenario I am considering that Matrix would respond to any of the gateways that initiate.

But I also thought about this other scenario:

ISP1 (Branch) <> ISP1 (headquarters)
ISP2 (Branch) <> ISP1 (headquarters)
ISP1 (Branch) <> ISP2 (headquarters)
ISP2 (Branch) <> ISP2 (headquarters)

I'm in doubt whether 4:2 or 4:4 serial connections.

This thread was automatically locked due to age.

Vishal_R · Answer

Hi Lais, Additionally I would suggest going with the RBVPN tunnel type with a combination of SD-WAN profile which gives more flexibility and parameters to manage failover compared to the legacy PBVPN tunnel type Failover group.

Erick Jan · Answer

Hi Lais, 
 Thank you for reaching out to Sophos Community. 
 I would recommend reaching out to your Sales Partner/Sales Engr as this query would be best answered by them so that they can fully check your resources and requirements. 
 As you have stated, the current tunnel fluctuates a lot. What could happen if you added more VPNs? Therefore, kindly contact them to further assist you with your environment.

how to configure an IPsec VPN failover with 2 gateways on each end

Top Replies