Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPsec Connections using two Uplinks and DDNS

Hello Community, here's the situation:

Head Office (HO):  two WAN uplink connections, both have static IPs.  One connection is 'cost based' and slower (backup WAN) and the other is quicker and has no traffic costs (primary WAN).  Weights have been configured in Network > WAN link manager to favor the primary connection with both being 'active'.

Branch Offices (BO): same as above with the following exception: Weights have been configured in Network > WAN link manager to favor the primary connection with primary being 'active' and backup WAN being 'backup' with failover rules configured.

Notes:

  • there are >20 branch offices
  • Appliances are running v20.0.2 MR-2-Build378

IPsec connections have been configured:

  • HO on primary WAN: respond only
  • HO on backup WAN: (not yet configured)
  • BO on primary WAN: initiator to DDNS of HO primary WAN
  • BO on backup WAN: initiator to DDNS of HO primary WAN

BO failover groups have been configured:  primary WAN > backup WAN

---

The problem is that if we lose the primary WAN at HO, we lose all IPsec connections to the BOs.

As far as I can tell, the only way to accomplish having a fully redundant failover system would be to configure failover connections on the HO Sophos for the >20 BO sites and then also configure each BO site to have two more IPsec failover connections for the HO backup WAN connection (one from primary WAN, another from backup WAN).  All in all, I'm really not looking forward to creating 60+ additional IPsec connections and all of the associated failover rules!

---

Previously, using UTM, "Uplink Interfaces" was an option when selecting the local interface but this has been removed in SFOS and I would really love to see that option restored.  Back in the UTM days, we'd just configure the IPsec connections at the BOs to use the DDNS of the UTM at HO.

Two feature requests:

  1. Restore the option of selecting "Uplink Interfaces" for the listening interface when configuring IPsec connections
  2. Restore the DDNS IP strategy similar to "Web service (IPv4)" where the appliance will update DDNS records with the primary WAN IP address

Open to suggestions if anyone has anything constructive or creative to add.



Added FR TAG
[edited by: Erick Jan at 12:34 AM (GMT -7) on 17 Oct 2024]
Parents
  • Is suggestion #2 specific to VPN, or in general? If it's more general, wouldn't you want DDNS to reflect the HO's working IP: primary first, backup if the primary is down? At least if DDNS can only handle one IP. If DDNS were fancy enough -- both in SFOS and the providers -- you could theoretically have both IP (primary and backup) reflected as A records with different priorities and let the far end decide, though perhaps congestion could cause the far end to jump to the backup (costing you $$).

  • Hello Wayne, thanks for your reply.

    Suggestion #2 was poorly worded:  instead of saying "primary WAN IP address" I should have said "active WAN IP address" since I would like to see the DDNS updated according to the WAN link manager's lowest weighted active connection.  Sure, that raises a bunch of 'what-ifs', but it's a start.

    To answer your question, I would say that DDNS be generally applied as I'm sure there are several other use-cases (IE: inbound SSL VPN client connections).

    I too thought of using my DDNS provider to create a backup strategy however the problem with the IPsec configuration remains (Suggestion #1) whereas the IPsec connection must be configured by selecting a specific inbound interface.

Reply
  • Hello Wayne, thanks for your reply.

    Suggestion #2 was poorly worded:  instead of saying "primary WAN IP address" I should have said "active WAN IP address" since I would like to see the DDNS updated according to the WAN link manager's lowest weighted active connection.  Sure, that raises a bunch of 'what-ifs', but it's a start.

    To answer your question, I would say that DDNS be generally applied as I'm sure there are several other use-cases (IE: inbound SSL VPN client connections).

    I too thought of using my DDNS provider to create a backup strategy however the problem with the IPsec configuration remains (Suggestion #1) whereas the IPsec connection must be configured by selecting a specific inbound interface.

Children
No Data