I know there are multiple forum posts about this same general situation, I've read dozens. I see a number of different options for doing this, I haven't found one that is quite like the environment in question. The closest post I can see is this one written in german ( community.sophos.com/.../sophos-utm-multiple-s2s-ipsec-vpn-mit-failover-tutorial-de )
I'm trying to figure out the current best method for doing IPSec VPN tunnel failover using multiple WANs. By best I mean, I'd like the failover to happen as quickly as possible.
All sites are running Sophos SG UTM firewalls on 9.7
Client has 3 sites. Servers are at site A. Remote locations are sites B and C.
Site A has 1 internet connection. 2 VPN tunnels, one to site B one to site C. Site A is set to respond only on both. The remote offices are the initiators. All VPN tunnels are built using RSA key authentication with the VPN ID set to the hostname of the remote firewall.
Sites B and C each have dual WAN for failover.
Currently I have sites B and C set for uplink balancing with both WANs set to active with the weighting changed 100% to the primary, 0% to the failover, persistence timeout of 1 minute with automatic monitoring checked. The IPSec connections on these remote sites are set to 'Uplink Interfaces' as their local interface to use.
I have no multipath rules configured and nothing is set to 'Bind tunnel to local interface'.
This works but the failover takes several seconds to kick in. The german article above seems to indicate that it is possible with Sophos SG/UTM to have both the primary and failover interfaces simultaneously connected with VPN tunnels active, but traffic only passing over the primary until an outage at which point it quickly switches to the failover VPN tunnel that is already established. The problem in the german example both sides have dual WANs and I think the configuration described in their post is complicated by that. Would the multipath rules described in that article be any benefit to this example where only the remote sites, set as initiators, have the dual WAN setup and their remote respond only peer has a single WAN?
Thanks!
This thread was automatically locked due to age.