IPsec Remote VPN multiple Gateways in v19.5

Hi Abdulah,

Thank you for reaching out to Sophos Community.

•  Do we need to configure two .scx file first, and then the provision file will work
  • No, Edit the provisioning file and save it as .pro; then you can send it to the user or apply via GPO ,also, no changes on IPsec Profile

• You may refer to the following link concerning about Provisioning file.

  • TechVid
  • Provisioning file

Hi,

Thanks for replying.

We already configured Provisioning file and send to user but having issues when connecting through it. further, will check it and might be some config mis-match. Please confirm can a single IPsec profile be used with 2 WAN links means a single profile configured in Remote Access VPN and use both Primary WAN link and Secondary WAN link.

What we have done:

• Performed Port-forwarding on Gateway FW for Primary and Secondary WAN IP to the Private IP mapped on Sophos firewall from which we are configuring IPsec Remote VPN. (changed gateway in .scx file and users are able to connect and use services)
• But is the above solution suitable for Provisioning file? Means only 1 profile configured from GUI will be able to connect users on both Primary and Secondary Gateway IP because we are being given error of "no response from gateway error"
• Can we configure our .scx file to use two Gateway's?

Regards,

Abdullah

Hi Abdullah,

You can configure.scx to use two Gateways. Kindly see reference on the first screenshot for Multiple Gateways

However, not as a combined(Primary and Secondary). It’ll be in the form of Load Balance.

You can see the following reference or options.

Hi Erick,

Thanks for sharing, so what I understand from your reply is that only 1 profile will be configured in IPsec Remote Access and after that I'll create a provisioning file with below configuration so that users can access both simultaneously:

[
{
"display_name": "SSGC-VPN",
"gateway_order": "in_order",
"gateway": [ "xg1.primary.com", "xg2.backup.com" ],
"user_portal_port": 443,
"otp": true,
"2fa": 1,
"auto_connect_host": "",
"can_save_credentials": true,
"check_remote_availability": true,
"run_logon_script": false
}
]

Regards,

Abdullah

Hi Abdullah,

Yes, this will be in one profile, but it won’t be simultaneously. The gateway order you've set is " in_order" this will use the first gateway first; if it's not reachable, it’ll then use the secondary.

Hi Erick

Interesting topic. I understand this with the profile for the sophos connect.

However to configure remote access VPN on the XGS Firewall I have to choose an Interface. So I can only choose one Internet Provider on e.g Port 2 (no option to select two ports). Will this work when in the example from Abdulla xg2.backup.com is on port 3 (Internet Provider 2)?

Best regards

Tony

Hi Erick

Interesting topic. I understand this with the profile for the sophos connect.

However to configure remote access VPN on the XGS Firewall I have to choose an Interface. So I can only choose one Internet Provider on e.g Port 2 (no option to select two ports). Will this work when in the example from Abdulla xg2.backup.com is on port 3 (Internet Provider 2)?

Best regards

Tony

Hi Tony,

What I did to achieve two profiles is that configure both profiles and export there connection, send to users and have primary profile selected at your sophos xg and when the primary link goes down you have to make changes on xg and update at xg end only. both files will be .scx files but for this to work you have to reset the connection everytime on SOPHOS xg. Second option can be to have both profiles configured with same connection name, for this to work you only need to change the interface of IPsec remote connection only but only one profile can be exported on Sophos connect

This is an essential feature which must be available by sophos.

Regards,

Abdullah 

Hi Abdullah

Thank you for explanation.

1) I was guessing that. You have to change the port on XG to the second WAN port (manually) if the first WAN Port is down.

2) But with the option "gateway order" in the profile it looks to me as if only one profile is required? And if first gateway goes down ist switches to second (assuming the port ist changed on XG to second WAN as per 1)

What you did is to configure the remote vpn on the XG once with WAN port 1 exported the profie  and than changed it to WAN port 2 and exported profile 2, right? But I guess you had to change somehow the name as otherwise you can not import it into the sophos connect, right?

I agree there should be a feature to swap automatically.

Best regards

Tony 

Hi Tony,

There are 2 options available for IPsec Remote options. One is Provisioning file, and another is .scx file. I used .scx file for connection as I didn't have Public IP directly available on my Sophos interfaces. So, what I did was configured 1 profile and exported its connection then reset the connection and configured the second connection and exported its connection. Edited the files by replacing private IP with Public IP and send to my users, they imported both files in Sophos Connect. But they can only connect to that profile which is active on my Sophos XG. I think that what provisioning file does, is to have a single Profile with multiple gateway/ ISPs but I haven't tested this. 

1) Yes, you have to manually change the port.

2)  The "gateway_order" option is not available/configurable in .scx file and its only configurable in provision file.

Regards,

Abdullah

Hi Guys,

Interesting topic indeed. I have a ssl vpn solution running with multiple gateways. Now since the have a new fiber connection i had to edit the .pro file and put it to all clients. But when testing the multiple gateways does not work as expected. I also found the following topic.  Sophos Connect 2.0 - gateway_order clarification  The questions is.. is it possible to configure the ssl vpn to check two 'gateways' in order? After this question the topic was closed.... Thank you in advance.