This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing system generated traffic via IPSEC with failover

Hi all

I have a site where the XGS2100 is currently set to authenticate against the local AD Domain Controller. The DC is planned to move off-site and so the XGS will need to authenticate to the DC via IPSEC - the DC will be hosted behind an OpnSense firewall in the new location. I have followed the guide here (Route system-generated authentication queries through an IPsec tunnel - Sophos Firewall) and can successfully reach the DC. The catch is that the XGS has 2 internet connections with IPSEC set up with a Failover group, and the XGS must be able to reach the DC via either of the IPSEC tunnels. How can I achieve the desired outcome here?

This thread was automatically locked due to age.

0 Symlogia Pty Ltd 10 months ago

2 months - 339 views and not a single reply... no-one has ANY insight?
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J 10 months ago

Hi Patrick Moore ZA

Did you try below link for ipsec failover :

Sophos Firewall: Configure an IPsec VPN failover with multiple connection

Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Patrick Moore ZA 7 months ago in reply to Bharat J

Apologies for the late reply - this was moved to the backburner for a while. The article referenced is for normal IPSEC traffic - I have this running already, but I needed to route SYSTEM-GENERATED traffic through the IPSEC tunnels WITH failover. Your linked article does not apply to system-generated traffic.
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J 7 months ago in reply to Patrick Moore ZA

Thanks for your update. I am more clear now about the requirement

Please correct me if I am wrong here

IPSec VPN between Sophos XGS2100 and OpnSense firewall is working with Route base IPSec VPN and SYSTEM-GENERATED D traffic through the IPSEC tunnel, where your DC is connected to OpnSense firewall and you can authentication users with DC under Sophos XGS2100.

Now above configuration is done with ISP1 for IPSec site to site and you want to connect IPSec with another ISP 2, so that if ISP1 fails, IPSec route base VPN should work with ISP 2, if yes below would be the configuration link

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=ConfigureRBVPNISPs

Please post the in case above configuration steps if already done and not working.

Regards

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel