This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

site-to-site VPN redundancy

Hello,
i'd like to refloat an old "issue" i've had that haven't managed to check the current v9 version support for it:
Site to site VPN with multiple uplinks.

for example: i have two sites A and B, each site has 2 separate ISPs(mix of fixed/dynamic IPs/NATted)
Tunnel must be up at all times regardless of which ISP fails, convergence time should be in seconds.

currently i have this setup with a couple of sonicwall appliances as they specifically support secondary remote gateway on the tunnel definition(you define the main one and a backup one) and has proven to work, but i find the platform itself quite crappy apart from that (it's counter intuitive and the "visibility" is quite poor).

So, does UTM support such scenario currently?.
or do i need to create 4 tunnels (A1-B1, A1-B2, A2-B1, A2-B2) and go?
and god knows what happens with traffic loops/routing/addressing in that scenario?


This thread was automatically locked due to age.
  • This is very easy with ASG/UTM since Uplink Balancing and Availability Groups were introduced (years ago). 

    Cheers - Bob

    Sorry for any short responses.  Posted from my iPhone.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,
    i know that ISP redundancy at the network level is easy to do(and i'm using it) with uplink balancing/monitoring, but the question is how will a site-to-site VPN work when they're defined by remote/local endpoint pair, all of which will change depending on what fails thus making the tunnel definition invalid!.
    Also tunnel definition doesn't has options to select multiple remote/local endpoints.

    Other than putting the remote gateway as "respond only" (which would work on one of the endpoints alone, otherwise how would the tunnel be ever stablished) i just fail to see how to make it redundant with only one tunnel.

    for example:
    Side A "initiate" pointing to fixed IP of site B.
    Site B as "respond only"
    All works until fixed IP ISP on site B fails, how will the tunnel be stablished then?

    looking at the context help for the connections an interesting point shows on the:
    "bind tunnel to interface" option:
    "Thus it is possible to either bypass IPsec policies with static routes or define redundant IPsec tunnels over different uplinks and use multipath rules to balance traffic over the available interfaces and their IPsec tunnels. Use cases for this setting are for example: "
    But after that it says "Note – This option cannot be used in combination with an interface group." (so how am i supposed to do a multipath target rule if i can't create an interface group with the tunnels....).

    ideas?
  • On both sides, use Uplink Interfaces as 'Local interface' in the IPsec Connection definition.

    NOTE: see my post below for an alternative approach possible with V9.2 and later

    Assume WAN interfaces: WAN-Site-A-1, WAN-Site-A-2, WAN-Site-B-1, WAN-Site-B-2.

    Site A:

    Multipath Rule binds IPsec to WAN-Site-A-1
    Remote Gateway for Site B uses a Gateway that is an Availability Group with, in order, WAN-Site-B-1, WAN-Site-B-2



    Site B:

    Multipath Rule binds IPsec to WAN-Site-B-1
    Remote Gateway for Site A uses a Gateway that is an Availability Group with, in order, WAN-Site-A-1, WAN-Site-A-2



    Notice that the first Host in each Availability Group must be the IP of the WAN interface in the Multipath rule on the other side.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I know this is an old thread, but I am just getting started with configuring VPN's for redundancy. I am following this guide: How to configure multipath uplinking for IPsec with a Sophos UTM
    Dealing with a Home Office with Uplink Balancing to a Branch with a single interface (I will deal with Home to Home double multipath later). At step 5 of the guide I get an error that you cannot bind the local interface to a group, ie: Uplink Interfaces. That's problem number 1.
    Number 2, is I don't really understand multipath rules: My current rule is: Uplink Primary Addresses, IPSEC to Any, Persistance by Interface, Bind to Interface #1
    It seems like this forces all of the IPSEC traffic over a single interface with no failover? Should that be changed to Persistence by Connection with Advanced Balanced to Uplink Interfaces selected?
    Problem #3 can I have different sites primarily connect to different interfaces? That is, Branch 1 connects to home over Interface 1 unless there is failover, while Branch 2 connects to home over Interface 2 unless there is failover?
  • Mike, in the Home office, instead of relying on Uplink Balancing, use an Interface Group with the primary interface at the top.  You still need the Availability Group in the remote office.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Not sure what you mean. The only place I know I can create an Interface Group is on a Multipath rule, if I change persistence to Connection, then on the advance tab I can create a new Interface group that I can use elsewhere. If I use the new Interface group in the Site 2 Site Connections dialog, I still get the cannot bind tunnel to group error. Does that matter? The guide says that is what turns on the failover behavior? In you post above, you state that the Multipath rule for IPSEC should bind to 1 interface, so I am assuming that is a persistence by Interface rule like I currently have. I guess I am missing how failover works if the service is bound to a single interface? You also state in the NOTICE above that the branch office availability group must have the first host ip match the interface on the Multipath rule. Does that mean I cannot spread the branches around to use different interfaces and still have redundancy?
  • Auto-Failover IPsec VPN Connections

    Note: See my EDIT at the bottom of this post for a more complex solution with instant failover.

    Interface Groups are created on the 'Interfaces' tab in 'Interfaces & Routing'.  No Multipath rule is required.  These new groups are nifty.  I used them in a recent project to connect four remote offices to a central UTM.

    Each office has two, different WAN connections.  I configured one Interface Group for a VoIP VPN that started on one WAN connection and another Interface Group for a Data VPN that started on the other.  If any one WAN connection goes down, the VPN on that connection fails over to live on the other connection with the other VPN.  I also added some QoS rules to minimize the VoIP connections getting hammered if the Data VPN ever failed over to the VoIP-preferred line.

    Cheers - Bob
    PS So, with this approach, Post #4 above would look like:

    On both sides, create an Interface Group named "VPN Group" to be used as the 'Local interface' in the IPsec Connection definition on both sides.

    Site A:

    VPN Group = WAN-Site-A-1, WAN-Site-A-2
    Remote Gateway for Site B uses a Gateway that is an Availability Group with, in order, WAN-Site-B-1, WAN-Site-B-2

    Site B:

    VPN Group = WAN-Site-B-1, WAN-Site-B-2
    Remote Gateway for Site A uses a Gateway that is an Availability Group with, in order, WAN-Site-A-1, WAN-Site-A-2

    Notice that the first Host in each Availability Group must be the IP of the WAN interface in the top position of "VPN Group" on the other side.

    ------------------

    EDIT 2017-10-08: V9 brought us the ability to bind an IPsec Connection to an Interface, so it's now possible to have two active tunnels and instant failover using Static Routes.  The best description I know of this is in German, but Sophos UTM multiple S2S IPsec VPN mit Failover – Tutorial (DE) has pictures of all settings in English.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the clarity Bob. However, I have one more issue, the recommendation is to config the branch offices to respond only mode on the vpn gateway. If I do that, where would I use the Availability group? I have tried it both ways and got the vpn to come up only when the branch is in respond only, when I set it to initiate and use the availability group it does not connect. Maybe it's because of the existing multipath rule? I can't break that until the weekend. I have 12 sites connected the old fashioned way. On the other hand, I can see from the ipsec log that the 2 branches are connecting over the underutilized interface, so spreading using the interface group on the home site is working, just not sure about failover.
  • The only reason you'd need "Respond Only" would be because the other side is behind a NAT.  My customer in Virginia successfully tested all failovers at all sites using the structure described.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA