Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 9115 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Use MPLS as a backup

DominicRemigio

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

    Overview

    This recommended read describes the steps to use VPN/MPLS as a backup. Note that the VPN/MPLS failover will only work when MPLS is configured in a WAN zone and not in any other zone.

    Product and Environment

    Sophos Firewall

    Example setup

    We will be using a hypothetical network in which a VPN link and an MPLS link connect a Head Office (HO) and a Branch Office (BO).

    Head office

    The HO Sophos has been configured with Port A as LAN, Port B as WAN, and Port D as WAN. The MPLS link has been terminated on Port D.

    Sophos LAN IP 192.168.1.254
    Sophos WAN IP 202.134.168.202
    Sophos WAN IP 10.10.10.2
    Connected to HO MPLS router

    Branch office

    The BO has been configured as follows:

    LAN IP 192.168.2.254
    WAN IP 202.134.168.206
    DMZ IP 5.5.5.2
    Connected to BO MPLS router

    MPLS link

    The MPLS Link has been configured as follows:

    HO Router WAN IP 12.12.12.1
    HO Router DMZ IP 10.10.10.1
    Connected to Sophos
    BO Router WAN IP 11.11.11.1
    BO Router DMZ IP 5.5.5.1
    Connected to BO firewall

    VPN link as a backup for MPLS link

    Configure HO to failover to an IPSec VPN link when the MPLS link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the MPLS link comes up again, normal operation will resume.

    Configuration

    Configure the failover to an IPSec link when the MPLS link fails by following the steps below:

    1. Configure the IPSec connection between HO and BO:

      For details on establishing an IPSec VPN connection between HO and BO, see Sophos Firewall: Set a Site-to-Site IPsec VPN connection using a preshared key.

    2. Configure the IPSec link as a backup to the MPLS link:

      1. Sign in to the Sophos CLI console.
      2. Go to 4. Device Console.
      3. Run the following command:

        system link_failover add primarylink PortD backuplink vpn tunnel IPSec_Link monitor PING host 11.11.11.1

        Syntax: system link_failover add primarylink <MPLSPort> backuplink vpn tunnel <VPNLink> monitor PING host <RemoteIP>

        Note        : You can also use TCP for monitoring the remote device:

        Syntax: system link_failover add primarylink <MPLSPort> backuplink vpn tunnel <VPNLink> monitor TCP host <RemoteIP> port <RemotePort>

    3. Configure static routes to redirect all traffic headed to the BO from the MPLS link:

      1. Configure interface-based routes that point to the remote network 192.168.2.0:

        1. Sign in to the Sophos web admin using an administrator profile.
        2. Go to Routing > Static routes and click Add under IPv4 unicast route section:

          Parameter Value Description
          Destination IP / Netmask 192.168.2.0
          /24 (255.255.255.0)          		 Enter the destination IP address.
          Enter the subnet mask.
          Gateway 10.10.10.1 Enter the gateway IP address.
          Interface PortD-10.10.10.2 Select the interface from the list, including physical interfaces, virtual sub-interfaces, and aliases.
        3. Click Save.

      2. Configure gateway-based route for monitoring 11.11.11.1. This route is necessary to monitor the MPLS link status and sends monitoring packets over the MPLS link only:

        1. Sign in to the Sophos web admin using an administrator profile.
        2. Go to Routing > Static routes and click Add under IPv4 unicast route section:
          Parameter Value Description
          Destination IP / Netmask 11.11.11.1
          /32 (255.255.255.255)          		 Enter the destination IP address.
          Enter the subnet mask.
          Gateway 10.10.10.1 Enter the gateway IP address.
        3. Click Save.

    4. Configure the highest priority for static routes. By default, VPN routes have the highest priority in Sophos Firewall.
      1. Sign in to the Sophos CLI console.
      2. Go to 4. Device Console.
      3. Run the following command:

        system route_precedence set static

    The configuration above sets the VPN link as a backup if the primary MPLS link fails.

    MPLS link as a backup for VPN link

    Configure Sophos Firewall to failover to an MPLS link when the primary VPN link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the VPN link comes up again, normal operation resumes.

    By default, Sophos Firewall precedes VPN routes over static routes. Sophos Firewall first prefers the VPN routes when a VPN link is established. If the VPN Link fails, the traffic is automatically redirected via the static routes for the MPLS link.

    Note: If the MPLS link is configured on a non-WAN port, for example, between the LAN port on the HO and DMZ port on the BO, add the following IPSec route from the Sophos CLI console:

    system ipsec_route add net 192.168.2.0/255.255.255.0 tunnelname IPSec_Link

    Re-establish the VPN tunnel after adding the IPSec route.



    Revamped RR
    [edited by: Erick Jan at 2:14 PM (GMT -7) on 17 Sep 2024]
    Unfiltered HTML