Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1428 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN Load Balance

giancana siahaan

Hi, i have alot of branch connected WAN via ipsec vpn by sophos XG, but cannot be balance for traffic bandwidth usage, is there any way to balancing all ipsec vpn traffic like sophos XG competitors ? 

Sophos principal in Indonesia once promised when he wanted to make a deal with my boss to buy a Sophos XG firewall at each location. we have more than 30 branches. 
they tell that sophos XG has an SD wan feature, and a site-to-site vpn that can share the load. 
but until now latest update of SFOS 18.5.2 MR-2-Build380 there are no feature for pure SDWAN and VPN site to site loadbalancing.





This thread was automatically locked due to age.
  • 0

    they promise on firmware version 19. but i cannot wait for it. too much promises. i will replace 50 sophos XG and red to fortigate this year.

  • 0 in reply to giancana siahaan

    So actually. If you do two route based VPNs, then build up SD-WAN PBR, it is kinda like Load balancing. So you could do it, if you really want. 

    You can even do asymmetrical routing and push the packets per connection. It is a rare deployment, but that is what SD-WAN is about. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    i was tried to do route based route IPSEC and policy base route that sophos XG called "SDWAN" it can be asymmetrical routing. all route source and destination can only pair with physical interface, not for tunnel interface

  • 0 in reply to giancana siahaan

    sorry for typo. it stil cant be asymmetrical routing.

  • 0 in reply to giancana siahaan

    That is not correct. You can create a Gateway for a Route based VPN. Simply create a new Gateway and it can be selected in the SD-WAN Rules. 

    The question is, what you are trying to accomplish. You should talk to your Sophos Sales rep about the possibilities.  

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    my goal is the branch have asymetric connection to datacenter within two ip sec vpn site to site. not only for failover

  • 0 in reply to giancana siahaan

    This is technically possible, but most customer do not do it, because it is rather complicated due the lacking Interface bounding. 

    You can activate per packet SD-WAN routing, then route each and every packet based on the current best connection to a interface. The firewall on the other end will not care about the interfaces anymore and route the traffic further. 

    But as said, it is technically possible but eventually not the end goal to do this with SFOS in the current state. SD-WAN load balancing will be something for the future. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello ,

    Can you guide or direct me through some KB or write up on this. AS we are having 3 ILLs at HO and have IPSec RVPN with BGP for failover. Now most of the traffic is going on 1 specific ISP resulting in bandwidth choking and over utilisation.

    I would also want to achieve load balancing of ILLs with IPSec RBVPN and auto failover with BGP.

Unfiltered HTML