Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • Replies 0 replies
  • Subscribers 29 subscribers
  • Views 7730 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Use MPLS as a backup

DominicRemigio

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

______________________________________________________________________________________________________________________________________

Table of Contents

Overview

This article describes the steps to use VPN/MPLS as a backup. Note that the VPN/MPLS failover will only work when MPLS is configured on a WAN zone and not on any other zone.

Product and Environment

Sophos Firewall

Example setup

We will be using a hypothetical network where a VPN link and an MPLS link connect a Head Office (HO) and Branch Office (BO).

Head office

The HO Sophos has been configured with Port A as LAN, Port B as WAN, and Port D as WAN. The MPLS link has been terminated on Port D.

Sophos LAN IP 192.168.1.254
Sophos WAN IP 202.134.168.202
Sophos WAN IP 10.10.10.2
Connected to HO MPLS router

Branch office

The BO has been configured as follows:

LAN IP 192.168.2.254
WAN IP 202.134.168.206
DMZ IP 5.5.5.2
Connected to BO MPLS router

MPLS link

The MPLS Link has been configured as follows:

HO Router WAN IP 12.12.12.1
HO Router DMZ IP 10.10.10.1
Connected to Sophos
BO Router WAN IP 11.11.11.1
BO Router DMZ IP 5.5.5.1
Connected to BO firewall

VPN link as a backup for MPLS link

Configure HO to failover to an IPSec VPN link when the MPLS link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the MPLS link comes up again, normal operation will resume.

Configuration

Configure the failover to an IPSec link when the MPLS link fails by following the steps below:

  1. Configure the IPSec connection between HO and BO:

    For details on how to establish an IPSec VPN connection between HO and BO, see Sophos Firewall: Set a Site-to-Site IPsec VPN connection using a preshared key.

  2. Configure the IPSec link as a backup to the MPLS link:

    1. Sign in to the Sophos CLI console.
    2. Go to 4. Device Console.
    3. Run the following command:

      system link_failover add primarylink PortD backuplink vpn tunnel IPSec_Link monitor PING host 11.11.11.1

      Syntax: system link_failover add primarylink <MPLSPort> backuplink vpn tunnel <VPNLink> monitor PING host <RemoteIP>

      Note      : You can also use TCP for monitoring the remote device:

      Syntax: system link_failover add primarylink <MPLSPort> backuplink vpn tunnel <VPNLink> monitor TCP host <RemoteIP> port <RemotePort>

  3. Configure static routes to redirect all traffic headed to the BO from the MPLS link:

    1. Configure interface-based routes that point to the remote network 192.168.2.0:

      1. Sign in to the Sophos web admin using an administrator profile.
      2. Go to Routing > Static routes and click Add under IPv4 unicast route section:

        Parameter Value Description
        Destination IP / Netmask 192.168.2.0
        /24 (255.255.255.0)        		 Enter the destination IP address.
        Enter the subnet mask.
        Gateway 10.10.10.1 Enter the gateway IP address.
        Interface PortD-10.10.10.2 Select the interface from the list, including physical interfaces, virtual sub-interfaces, and aliases.
      3. Click Save.

    2. Configure gateway-based route for monitoring 11.11.11.1. This route is necessary to monitor the MPLS link status and sends monitoring packets over the MPLS link only:

      1. Sign in to the Sophos web admin using an administrator profile.
      2. Go to Routing > Static routes and click Add under IPv4 unicast route section:
        Parameter Value Description
        Destination IP / Netmask 11.11.11.1
        /32 (255.255.255.255)        		 Enter the destination IP address.
        Enter the subnet mask.
        Gateway 10.10.10.1 Enter the gateway IP address.
      3. Click Save.

  4. Configure the highest priority for static routes. By default, VPN routes have the highest priority in Sophos Firewall.
    1. Sign in to the Sophos CLI console.
    2. Go to 4. Device Console.
    3. Run the following command:

      system route_precedence set static

The configuration above sets the VPN link as a backup if the primary MPLS link fails.

MPLS link as a backup for VPN link

Configure Sophos Firewall to failover to an MPLS link when the primary VPN link fails. This is required to provide uninterrupted connectivity between the HO and BO. When the VPN link comes up again, normal operation resumes.

By default, Sophos Firewall gives higher precedence to VPN routes over static routes. When a VPN link is established, Sophos Firewall gives first preference to the VPN routes. If the VPN Link fails, the traffic is automatically redirected via the static routes for MPLS link.

Note: If the MPLS link is configured on a non-WAN port, for example, between the LAN port on the HO and DMZ port on the BO, add the following IPSec route from the Sophos CLI console:

system ipsec_route add net 192.168.2.0/255.255.255.0 tunnelname IPSec_Link

Re-establish the VPN tunnel after adding the IPSec route.

Sign up for the Sophos Support Notification Service to receive proactive SMS alerts for Sophos products and Sophos Central services.

______________________________________________________________________________________________________________________________________



Added horizontal lines, edited table of contents
[edited by: Raphael Alganes at 1:28 PM (GMT -8) on 4 Dec 2023]
Unfiltered HTML