This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Yet another Multiple WAN IPSec VPN failover thread

I know there are multiple forum posts about this same general situation, I've read dozens. I see a number of different options for doing this, I haven't found one that is quite like the environment in question. The closest post I can see is this one written in german ( community.sophos.com/.../sophos-utm-multiple-s2s-ipsec-vpn-mit-failover-tutorial-de )

I'm trying to figure out the current best method for doing IPSec VPN tunnel failover using multiple WANs. By best I mean, I'd like the failover to happen as quickly as possible.

All sites are running Sophos SG UTM firewalls on 9.7

Client has 3 sites. Servers are at site A. Remote locations are sites B and C.

Site A has 1 internet connection. 2 VPN tunnels, one to site B one to site C. Site A is set to respond only on both. The remote offices are the initiators. All VPN tunnels are built using RSA key authentication with the VPN ID set to the hostname of the remote firewall.

Sites B and C each have dual WAN for failover.

Currently I have sites B and C set for uplink balancing with both WANs set to active with the weighting changed 100% to the primary, 0% to the failover, persistence timeout of 1 minute with automatic monitoring checked. The IPSec connections on these remote sites are set to 'Uplink Interfaces' as their local interface to use.

I have no multipath rules configured and nothing is set to 'Bind tunnel to local interface'.

This works but the failover takes several seconds to kick in. The german article above seems to indicate that it is possible with Sophos SG/UTM to have both the primary and failover interfaces simultaneously connected with VPN tunnels active, but traffic only passing over the primary until an outage at which point it quickly switches to the failover VPN tunnel that is already established. The problem in the german example both sides have dual WANs and I think the configuration described in their post is complicated by that. Would the multipath rules described in that article be any benefit to this example where only the remote sites, set as initiators, have the dual WAN setup and their remote respond only peer has a single WAN?

Thanks!



This thread was automatically locked due to age.
  • Hi  

    There's a dedicated article for this: Sophos UTM: How to configure IPsec Site-to-Site VPN with multipath uplink. Did you have a chance to look at this?

    Regards

    Jaydeep

  • JayDeep,

     

    Thanks for the reply. Yes I have read that article and have implemented the availability groups where it is appropriate to do so for the client. I guess my question is more along the lines of: currently with my configuration set as described above, what benefit would there be to creating the Multipath rules VS how I already have the VPNs configured seeing as everything already works? Would there be any noticeable difference in the amount of time it takes to re-establish the tunnel on the failover circuit? And I'm very interested in input from anyone that has configured their tunnels to behave in the manner described in the German article where both the primary and failover circuits have their tunnels established at all times

  • I've long recommended Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE) as it has lots of pictures of WebAdmin configuration with WebAdmin in English.  I'm fluent in German, but I think that article should be easy to understand for anyone that speaks English.  The advantage is indeed that the failover is virtually instantaneous.  I suspect the only people that would notice the failover would be those on VoIP calls or other real-time processes.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA