Thread Info
  • Locked Locked
  • Replies 8 replies
  • Subscribers 5 subscribers
  • Views 17963 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to do Backup VPN with Sophos UTM 9.x more detailed than KB 118975

DKKDG

How to do Backup VPN with Sophos UTM 9.x more detailed than KB 118975

 

The method (work with 1:n and n:n) I will show you here will let you define a more detailed backup vpn than described in the KB 118975. In the knowledge base article, you are limited to the order of the interfaces defined in Uplink Interfaces. But here you can use every order you want. This will even work with layer two site-to-site connections over WAN.

Network Overview:

 

Now here I show you the required steps for a backup vpn with layer two site-to-site connection over WAN.

  1. Preparations

Make an interface on the UTM for your layer two connection. Use a net mask for a transfer net (255.255.255.252 or /30).

Site-1:

Site-2:

Make sure default gateway is ticked and the IP-address is the neighbor of the transfer net.

 

Next we create an interface group on each site with the order we want to initiate the vpn:

Site-1:


Site-2:

 

 

When we take a look at our uplink interfaces it might look like this:
Site-1:

Site-2:

To avoid that internet traffic is going over the layer two connection we need create an multipath rule that looks like this:

This must be done on both sites. Put this rule on bottom if you have already some multipath rules.

 

Now we must solve the problem with the interface error on our layer two connection.

To do this we make a nat rule for the interface address of each site.

Site-1:

Important is the source translation. Here make an availability group like this:

Site-2:

Now the interface error should be gone and we can start to configure our vpn.

  1. Configure the vpn

Site-1:

Remote gateway config:
Here you can see that I choose an availability group on gateway and defined the order of gateways I want to use for my vpn -> 1. EC 2. Internet 1 3. Internet 2

IPSec config:
Under local interface choose the interface group you defined for the vpn

Site-2:

Remote gateway config:
Easy configuration here. Take respond only with the psk option and the remote network.

IPSec config:

Now you have a functional backup vpn with your order and even over layer 2 site-to-site connection.

Feel free to ask some questions :-)

If you read this post and haven't seen any pictures, my fault.

I will fix this
Best Regards

DKNL

 



This thread was automatically locked due to age.
Parents

  • Hi DKNL, thanks for your great article. I've just the situation you describe here and I am searching for a way to without IPSEC on the MPLS line as we have no requirement to encrypt the traffic over this link, only on IPSEC failback. Do you have any idea if this is possible and how it have to be configured?

Reply

  • Hi DKNL, thanks for your great article. I've just the situation you describe here and I am searching for a way to without IPSEC on the MPLS line as we have no requirement to encrypt the traffic over this link, only on IPSEC failback. Do you have any idea if this is possible and how it have to be configured?

Children
Unfiltered HTML