This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

4G Backup IPSec Tunnel

Hi All,

I just need to confirm that below setup will work or is there any best practice to achieve this as I am new to Sophos Firewalls.

We have mutiple sites connected via IPSec tunnels and using sophos SG series Firewall over our private Radio WAN which connects all sites.

At Head Office  we have a UTM with IPSec which is Respond Only & at Brach Office SG115 firewall initiate IPSec connection . There are some instances recently where we have lost radio network for a site for extended time period and I am intersting in setting up a secondary IPSec connection by using a 4G modem and want to keep this backup IPSec tunnel off untill a site goes down for extended period and thinking to turn the primary tunnel off and backup tunnel ON in case we have a Radio network issue to keep remote site up and running.

Our head office UTM is having a very complex setup so I am wondering if this secondary IPSec can cause any issue (routing etc) so that I can avoid this or better understand this before proceeding.

Thank you.

Shah

 



This thread was automatically locked due to age.
Parents
  • My company is in the exact same boat with a radio network and I've found that UTM does a really bad job when it comes to working with 4G USB modems. I ended up install Accelerated Concept 6330-MX LTE routers at each location on the WAN ports of each appliance as the back up internet connection. These boxes are great because you loop your primary WAN / internet connection through them so that the router can automatically detect a failure on the radio network and activate the LTE connection. 

    Our UTMs are usually clueless to the fact that the internet connection has switched from the radio network to LTE. The Site to Site VPN connections usually restore themselves within a minute of switching to LTE and so far in the past year nobody has called to complain about network issues after we failed over to LTE.

  • Hi Dlabun,

    Thanks for reply to my query.

    I just need more info on how you setup IPSec on your Firewalls as in our case we have the local interface in IPSec set to our Radio Gateway. If we have dual network on at Router then what would be the local interface in IPSec Tunnel or we should set it to Router interface as the router will be manging the link? Our head office already have 2 links (private radio wan + ISP internet).

     

    Can you please explain this in more details?

     

    Thank you.

Reply
  • Hi Dlabun,

    Thanks for reply to my query.

    I just need more info on how you setup IPSec on your Firewalls as in our case we have the local interface in IPSec set to our Radio Gateway. If we have dual network on at Router then what would be the local interface in IPSec Tunnel or we should set it to Router interface as the router will be manging the link? Our head office already have 2 links (private radio wan + ISP internet).

     

    Can you please explain this in more details?

     

    Thank you.

Children
  • I am not sure if you'll be able to duplicate how I have our VPN connections configured as when our radio network goes down all of the branch locations switch over to the Verizon Wireless connections. Regardless, each branch location has a single WAN interface configured and it's connected to the router. At the home office I have a WAN interface that connected to our fiber connection back to our ISP. I also have a second interface configured that's connected to a router / radio / cellular combination just like the branch locations. Essentially I'm using Verizon Wireless as the radio network when our radio network goes down (in other terms, I don't send the S2S VPN connections through our fiber connection when the radios are down)

    I would highly recommend that you give the 6330-MX documentation a read as the routers have the ability to establish S2S VPN connections built in. Depending on the network topology you are dealing with it might be better to have the router handle the VPN connections and leave the SG appliances to just worry about firewall responsibilities.