Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 215 views
  • Users 0 members are here
Options
Suggested

IPsec Connections using two Uplinks and DDNS

FICS

Hello Community, here's the situation:

Head Office (HO):  two WAN uplink connections, both have static IPs.  One connection is 'cost based' and slower (backup WAN) and the other is quicker and has no traffic costs (primary WAN).  Weights have been configured in Network > WAN link manager to favor the primary connection with both being 'active'.

Branch Offices (BO): same as above with the following exception: Weights have been configured in Network > WAN link manager to favor the primary connection with primary being 'active' and backup WAN being 'backup' with failover rules configured.

Notes:

  • there are >20 branch offices
  • Appliances are running v20.0.2 MR-2-Build378

IPsec connections have been configured:

  • HO on primary WAN: respond only
  • HO on backup WAN: (not yet configured)
  • BO on primary WAN: initiator to DDNS of HO primary WAN
  • BO on backup WAN: initiator to DDNS of HO primary WAN

BO failover groups have been configured:  primary WAN > backup WAN

---

The problem is that if we lose the primary WAN at HO, we lose all IPsec connections to the BOs.

As far as I can tell, the only way to accomplish having a fully redundant failover system would be to configure failover connections on the HO Sophos for the >20 BO sites and then also configure each BO site to have two more IPsec failover connections for the HO backup WAN connection (one from primary WAN, another from backup WAN).  All in all, I'm really not looking forward to creating 60+ additional IPsec connections and all of the associated failover rules!

---

Previously, using UTM, "Uplink Interfaces" was an option when selecting the local interface but this has been removed in SFOS and I would really love to see that option restored.  Back in the UTM days, we'd just configure the IPsec connections at the BOs to use the DDNS of the UTM at HO.

Two feature requests:

  1. Restore the option of selecting "Uplink Interfaces" for the listening interface when configuring IPsec connections
  2. Restore the DDNS IP strategy similar to "Web service (IPv4)" where the appliance will update DDNS records with the primary WAN IP address

Open to suggestions if anyone has anything constructive or creative to add.

Parents Reply
  • 0 in reply to Mayur Makvana

    Thanks for the reply Mayur.  The forum software is suggesting that I accept this as the solution however I'm going to reject that suggestion based on the fact that it doesn't solve the larger issue of the redundancy of the IPsec connections.  Also, it remains to be seen whether or not my two feature requests would or could solve the issue since they've not been implemented.

Children
No Data
Unfiltered HTML