This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multi-site Fail-over

So we have a client with a main office and a branch office. The offices each have an SG firewall. Main has an SG125, branch has an SG135. They have an Ethernet Private Line from their ISP and want the offices to communicate over this line for local traffic but have each location use it's own WAN connection for Internet traffic.  We have successfully taken care of the LAN traffic between the sites over the EPL using eth2 on each firewall, static routes and firewall policies.  
The kicker is that they also want each location's WAN to be a fail-over for each other. So that if the WAN goes out at the main office, user's HTTP and HTTPS traffic goes through the EPL connection and then out the WAN of the branch office firewall.
We have the task of trying to set this up but have never ran into this situation and may need some guidance of how best to approach this. Thank you!



This thread was automatically locked due to age.
Parents
  • Hi Chris and welcome to the UTM Community!

    Louis' solution is a good one.  Another is to use Uplink Monitoring to establish a site-to-site IPsec VPN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Chris and welcome to the UTM Community!

    Louis' solution is a good one.  Another is to use Uplink Monitoring to establish a site-to-site IPsec VPN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thanks for that suggestion Bob.  I'll look into that option.  Can a IPSec tunnel be built over an EPL though?  As the whole goal is to have Web services traffic reroute over the already established EPL should that site's WAN connection go out.  The EPL is essentially a long Ethernet cable plugged from eth2 in one firewall into eth2 of the other.  I really just wish the models matched so we could have looked into HA as a option.  But sadly, no.

  • HA would not be an option in any case, Chris.  Yes, an IPsec tunnel over an EPL is possible.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Is there any point is using IPSEC here? You would be using overhead and complication for no gain.

  • Ok so playing with the idea of creating an IPSec tunnel over the EPL line but it will not establish.  Currently the EPL endpoints are 10.0.0.1 (Main) and 10.0.0.2 (Branch).  I also tried having the endpoints on different subnets.  (10.0.0.1/30 and 10.0.0.10/30)  That did not seem to work.  Double checked Policy matching, and Preshared Keys on both ends.   Live logs have the following:

    Main Office:

    2019:03:08-08:55:05 mg-for-fw pluto[2399]: loading secrets from "/etc/ipsec.secrets"
    2019:03:08-08:55:05 mg-for-fw pluto[2399]: loaded PSK secret for 10.0.0.1 10.0.0.10
    2019:03:08-08:55:05 mg-for-fw pluto[2399]: listening for IKE messages
    2019:03:08-08:55:05 mg-for-fw pluto[2399]: added connection description "S_MG-FOR-MH"
    2019:03:08-08:55:05 mg-for-fw pluto[2399]: "S_MG-FOR-MH" #1: initiating Main Mode
    2019:03:08-08:55:05 mg-for-fw pluto[2399]: added connection description "X_MG-FOR-MH"
    2019:03:08-08:55:05 mg-for-fw pluto[2399]: added connection description "X_MG-FOR-MH"
     
     
    Branch Office:
     
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: loading secrets from "/etc/ipsec.secrets"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: loaded PSK secret for 10.0.0.10 10.0.0.1
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: listening for IKE messages
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "S_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: "S_MG-MH-FOR" #1: initiating Main Mode
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "S_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "S_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "S_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "S_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "S_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "X_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "X_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: "X_MG-MH-FOR": cannot install eroute -- it is in use for "X_MG-MH-FOR" #0
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "X_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: "X_MG-MH-FOR": cannot install eroute -- it is in use for "X_MG-MH-FOR" #0
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "X_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: "X_MG-MH-FOR": cannot install eroute -- it is in use for "X_MG-MH-FOR" #0
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "X_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: "X_MG-MH-FOR": cannot install eroute -- it is in use for "X_MG-MH-FOR" #0
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: added connection description "X_MG-MH-FOR"
    2019:03:08-14:54:44 mg-mh-fw pluto[31577]: "X_MG-MH-FOR": cannot install eroute -- it is in use for "X_MG-MH-FOR" #0
     
    Any thoughts?  I can't find any literature on creating an IPSec tunnel over an EPL.