Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 3351 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Having Issues with Redundant IPSec S2S

xInsertx

Hi Folks,


Trying to set up a redundant IPsec s2s between 2 UTM's; however, I am having some trouble. Tropology is like this.
(initiating) Remote Site WAN1 + WAN2 ---> HQ-WAN1 (respond only)

I would like both tunnels to be up, but to only use WAN1 if WAN2 is down.

Can someone walk me through step by step on how I would configure this? I've tried using the wiki, tunnels would establish but traffic would not flow (using bind to the local interface) I think it might be the multipath rules I was using.

I will note, I'm quite happy to change this to red-tunnel s2s if I can achieve the same effect easier.

Thanks



This thread was automatically locked due to age.
Parents
  • 0

    An alternative to DKKDG's classic solution was proposed by Michael Klehr - Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE).  It's in German, but all of the screen shots are in English, so I think it should be understandable even if you don't speak German.

    In essence, binding the IPsec Connection to an interface allows you to use Static Interface Routes or Multipath rules binding traffic to an interface.  This "trick" makes the same thing possible that you could do with RED tunnels before.  Depending on your hardware, you might be able to take advantage of Intel's AES-NI to speed throughput using AES GCM.  Here's my preference:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob,

    That is actually the guide I used as a reference. Tunnels were up, but I think something is going wrong at the multi-path part.

    HQ:

    Multi-Path:  HQ-Net - Any - Remote-Net - WAN1

    Remote:

    Multi-Path:  Remote-Net - Any - HQ-Net - InterfaceGroupWans

    Interface Group: #1 WAN2, #2 WAN1

    Both Interfaces are in "Uplink Balancing"

     

    How i would kill for Ikev2 + BGP right about now...

  • 0 in reply to xInsertx

    Please show pictures of the Edits of the Multipath rules on both sides.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data
Unfiltered HTML