Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 10187 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BGP routing priority over IPSec VPN

Justin Pedersen

Hi all,

I currently have a need to have traffic routed to site B via BGP and using an IPSec VPN tunnel if/when the BGP route becomes unavailable.  I have the BGP routes in place and the VPN tunnels built, I'm just unsure which of those two takes priority.

And, if traffic will route to the IPSec tunnels first, how do I change the priority to route to BGP first?

Thanks!


Justin



This thread was automatically locked due to age.
Parents
  • +1

    Hi, Justin, and welcome to the UTM Community!

    The simple answer is to configure your routing (BGP or normal Static Routes) and then enable an Uplink Monitoring Action in 'Interfaces & Routing' that starts the IPsec tunnel when your preferred connection is unavailable.  You may need to configure the 'Advanced' tab.

    If You need virtually-instantaneous takeover by the IPsec tunnel or you have other reasons to use the tunnel, then you will want to bind the IPsec Connection to the UTM interface and manually create low priority routes for it.

    If you want to use the second approach, you might ask Sophos Support if an IPsec Connection bound to an interface will work with BGP.  Please share what you learn here if you travel down that path.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks BAlfson, appreciate the detailed reply.

    It looks like an Uplink Monitoring Action will work for my requirements.  It wont' be instantaneous like you mentioned but it's good enough to qualify as highly available should the BGP route become unavailable.

    If we decide to give binding the IPSec tunnel to the interface a try, I'll update this thread.

    Thanks again!

    Justin

Reply
  • 0 in reply to BAlfson

    Thanks BAlfson, appreciate the detailed reply.

    It looks like an Uplink Monitoring Action will work for my requirements.  It wont' be instantaneous like you mentioned but it's good enough to qualify as highly available should the BGP route become unavailable.

    If we decide to give binding the IPSec tunnel to the interface a try, I'll update this thread.

    Thanks again!

    Justin

Children
No Data
Unfiltered HTML