I'm trying to wrap my head around a Problem that a customer of ours brought up to me.
He has a Central-IT that has a 100M syncronous Line with static IPv4-Adress(es) and a 50M V-DSL Backup-Line with a dynamic public IPv4-Adress. In the central office they have two SG230 in HA Active-Standby.
Additionally they have a Branch-Office with only 5 Users (Customer-Managers) that have two SG115 (active-Standby HA) that is only connected via IPSec to the Central-IT. No extra Internet-Access. The customer chose the two SG in HA over a REDxx. Here he has a 10M synchronous Line with static IPv4.
Last week the Line was killed by an excavator and the repairs took 3 days!!! so their Customer-Managers had to drive 90km for their work to the Central-Office... Long Story short: They have to build up a Backup via LTE/UMTS. (seems that Managers can get really angry...)
Because there is a Sophos HA-Cluster on the remote Site i thougt of using a LTE-Router (eg. TELTONIKA RUT-950) because of the easier integration into the system (only Interfaces and no UMTS-Stick-Hardware), and he only needs one SIM-Card and one good Router (Have used this already 4 Times and never gave me a Headache - just for regular Internet-Access).
The Multipath-Rules basicly are not my problem (i know how to configure them), but the IPSec-Tunnel gives me headaches (a lot).
The Customer wants me to create a solution that uses the Static-IP-WAN-Connections as Primary-IPSec Connections and automatic Fallbacks on BOTH sides of the tunnel with the dynamic-IP-WAN-Connections.
4 possible Connections:
1. default (static-to-static),
2. Remote static to Central dynamic,
3. Remote dynamic to Central static and
4. remote dynamic to central dynamic
Is this possible? Please give me any of your ideas.
My Thought were something like the following:
1. Central IT: Create a WAN Availability Group containing the following >> Static WAN Conn + >> DynDNS-Host of dynamic WAN Conn (for auto resolv.)
- Multipath rule to check Static IP of Remote-GW and some others aka. Google & amazon >> if IF down aktivate dynamic WAN Conn.
- Site-to-Site use Availability-Group as local GW Adress &
- create a Availability Group for the Remote-Office containing the "static IP" and the "dynamic DNS-Host" of the Remote-Office
2. Remote Office: Create a WAN Availability Group containing the following >> Static WAN Conn + >> DynDNS-Host of dynamic WAN Conn (for auto resolv.)
- Multipath rule to check Static IP of Remote-GW and some others aka. Google & amazon >> if IF down aktivate dynamic WAN Conn. (here Connection to the UMTS-Router)
- Site-to-Site use Availability-Group as local GW Adress
- create a Availability Group for the Central-Office containing the "static IP" and the "dynamic DNS-Host" of the Central-Office
3. Change Remote-GWs in both IPSec-Configs to Adress the Remote-availability-Group (containing the Remote static IP AND the Remote dynamic IP DNS-Host Name).
Your Ideas?
Will this work?
Have you tried something like this?
Will this all die because (correct me if I'm wrong) i thought that a UMTS-Router will normally get only a IPv6 Adress in Germany? (Network provider can be chosen freely if you know one that provide IPv4 - if needed)
Chances to resolve this Problem?
Will the automatic Fallback work?
Is there already a complete setup guide / best practices guide that i overlooked.
Thank you all for your Help and Input.
Franz
This thread was automatically locked due to age.