IPSec VPN Failover Condition

Hi Noct3, Thanks for reaching out to Sophos Community.

The asterisk (*) in the failover group refers as a mandatory condition. If you're creating the failover group, That condition has to be selected. (Either TCP or PING). You can choose to not select the second condition.

For your specific scenario, I'd suggest going with a Route-based tunnel if the Remote gateway on AWS or Azure supports route-base tunnel configuration. This way you can define custom gateways with your custom failover condition to either ping the remote gateway or any specific Remote LAN's IP.

And with SD-WAN policy routes, You can add those custom gateways in a primary and backup fashion.

More info on Policy routes: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/learningContents/CreatingRBVPN.html

Creating custom gateways: https://docs.sophos.com/nsg/sophos-firewall/18.0/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/RoutingGatewayObjectAdd.html

Thanks

Hi Devesh,

Thank you for the reply. I see, that makes sense for the asterisk (*).

As for the proposed resolution, I believe that it may work but that would imply using SD-WAN primary and backup gateways while having both tunnel UP at the same time instead of the built-in IPsec failover mechanism. Using Gateways would allow internal IPs (on AWS or Azure) to be monitored, that's a good idea.

I will go that way.

Thank you!