This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec vpn failover between 2 XG with both 2 WAN connections

What is the correct way to configure IPsec VPN with failover between 2 XG firewalls with both 2 WAN connections.

I configured 4 IPsec tunnels (the 4 possible situations) and put those 4 on both sides in a failover groups, but failover is not working stable this way.

During failover both XG firewalls try to bring online IPsec tunnel one by one, so you need some luck that both try the correct tunnel at the same time.



This thread was automatically locked due to age.
Parents
  • Hi Stefan,

    As per my own troubleshooting and help from Sophos Support, we have discovered the best way to implement a proper IPsec failover solution is to only have your Failover groups on the Branch Office side(The one doing the initiation of the connection). Activate all four tunnels on the Head office side, then create a failover group with all 4 ipsec tunnels in the correct order on the Branch office side and switch it on. That should be it.

  • Barend Botes said:

    Hi Stefan,

    As per my own troubleshooting and help from Sophos Support, we have discovered the best way to implement a proper IPsec failover solution is to only have your Failover groups on the Branch Office side(The one doing the initiation of the connection). Activate all four tunnels on the Head office side, then create a failover group with all 4 ipsec tunnels in the correct order on the Branch office side and switch it on. That should be it.

     

    I find this to be the best method. Unfortunately, we get a red VPN icon which confuses us with the amount of VPN connections we have. I wish there was a way to assign the VPNs for a site in a group still but not be part of the failover, that way the icon remains green so long as 1 of the 2+ connections is there.

Reply
  • Barend Botes said:

    Hi Stefan,

    As per my own troubleshooting and help from Sophos Support, we have discovered the best way to implement a proper IPsec failover solution is to only have your Failover groups on the Branch Office side(The one doing the initiation of the connection). Activate all four tunnels on the Head office side, then create a failover group with all 4 ipsec tunnels in the correct order on the Branch office side and switch it on. That should be it.

     

    I find this to be the best method. Unfortunately, we get a red VPN icon which confuses us with the amount of VPN connections we have. I wish there was a way to assign the VPNs for a site in a group still but not be part of the failover, that way the icon remains green so long as 1 of the 2+ connections is there.

Children
No Data