Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 5 subscribers
  • Views 1151 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Assuring IPSec site-2-site tunnels use a certain WAN interface from Uplink Balancing

ChrisSoukup

I'm currently using Uplink Balancing with one active WAN (WAN1) and one standby WAN (WAN-BAK) interface for failover.

I have prepared a WAN2 interface (to another ISP) and would like to add it to active interfaces in order to provide a smooth transition from one ISP to the other.

I assume I would loose control regarding which of the active WAN interface is being used for IPSec tunnel connections. My IPSec tunnels can only work with WAN1 since the other site is configured to accept connections only from WAN1.

Is there a way to ensure a certain IPSec tunnel (I currently have 2 of them) uses a certain WAN interface?

Can this rules/assignment be also done for LAN subnets (I have several of them)?

When everything is in place I would like to have the possibility to move IPSec tunnels and subnets from using WAN1 to using WAN2 one after the other.

Can this be done using Policy Rules? What would be an example configuration for a IPSec tunnel or subnet?



This thread was automatically locked due to age.
  • +1

    For the IPSec connection this is not an issue; you specifically choose the interface that is used to make the connection, so if the right one is chosen that would not be a problem.

    Just make sure to NOT use Uplink Interfaces but choose the one from WAN1.

    As for the LAN traffic you can create multipath routes for that:

    Create the rule "by interface" and select the source client(s) or networks, the service and the destination. If needed all can be 'any'.

    As for moving the IPSEC's one by one, this can only be done manually since the other side of the connection would also need to use the IP-address from WAN2 unless they are on "Respond only", but as far as I know you must anyway change the VPN connections interface manually (as by my first picture) which doesn't take too much time...

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    Thank you for your advice.

    Actually I should have noticed the "Local Interface" option in the tunnel config - just overlooked that.

    For the subnets I will use the multipath rules as suggested, as well. I always wondered what they are for and now it seems there is the right purpose for them.

    Thank you for your help!

  • 0 in reply to ChrisSoukup

    You're welcome. glad I could help. If you can also accept my answer as your solution than everyone can see the green checkmark that the question has been resolved.

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Unfiltered HTML