Hello all --
We're looking into converting from our current policy-based IPSec VPNs (created in v17) to the newly-available Route-based VPNs (v18), but of course, I have some confusion and would prefer to avoid the horrific sophos support hold-music.
- Is it correct to say that route-based VPN would avoid the hassle of manually adding each site's subnets to the tunnel, or is that still manual, but done in static routing or sd-wan policies instead? We have a HA-VPN to a GCP project, which uses BGP on either side; would that be the same setup here between our two sites (so instead of the static route or sd-wan policy, we'd use BGP advertisements)?
- Possibly related to the previous question, does it matter what IP is used on the xfrm interfaces? In the GCP connection, we use link-local (169.254.x.x) IPs, and in the sophos walk-thru video, they use [seemingly random] 3.3.3.3 and 4.4.4.4. Does it make any difference?
- We have dual ISP links into each site, with four tunnels in a failover group. Does failover work essentially the same with route-based vpn? Looking thru, it appears that there would only be two tunnels in the failover group, but each tunnel would have a backup gateway.
Has anyone here setup a dual-ISP failover using route-based tunnels and BGP advertising? How does the failover work, in the real-world? (our current policy-based failover is "hands-on", at best).
Thanks
-- michael~
This thread was automatically locked due to age.