Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 896 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG to SG IPSec S2S Failover

CasiW

Hallo zusammen,

vergeblich probiere ich zu verstehen, wie ich eine Failover Konfiguration für unseren Aussenstandort einrichten kann.

Folgendes Szenario ist gegeben:

 

Zentrale: Sophos XG Appliance

WAN: 2 statische öffentliche IP Adressen direkt an der XG konfiguriert

 

Aussenstandort: Sophos UTM Appliance

WAN: 1 öffentliche IP Adresse, Sophos ist hinter einer FritzBox und hat eine lokale IP von der FB bekommen. Exposed Host ist auf der FB konfiguriert.

 

Ich verstehe nicht, wie ich eine Failover Konfiguration hinbekomme. Alle Guides die ich gefunden habe, beziehen sich auf andere Konstellationen.

Einzelne IPSec Verbindungen funktionieren, jedoch müssen wir die Verbindung manuell in der Sophos XG umswitchen, sobald ein WAN am Hauptstandort unterbrochen ist.

Liebe Grüße



This thread was automatically locked due to age.
  • 0

    What we have here (two UTM's each with 2 WAN uplinks) is the following:

    For the remote gateway configure an availability group with both of the external IP-addresses. In your case this is the configuration you could enter on the UTM side, since your XG site has the 2 external interfaces. Put the "main" connection as the first one and the backup connection as the second one inside the availability group. By doing this, you tell the UTM to accept traffic from the main interface as long as it's available. When it's not available then accept from the next IP-address, and so on.

    For the local gateway (in our occasion also UTM) we created an Interface group consisting of both of the local Internet connections, again using the desired order for 1st and 2nd line. Use this interface group as the local interface for the IPSec connection. I'm not sure if and how you can configure this in the XG.

    Of course this config needs to be "mirrored" on the other side, but in your setup only 1 side has multiple internet connections, so in the UTM you need the availability group for the internet connections from the XG site while it's local connection is just it's own WAN interface. On your XG-side your local interface should be the Interface group and the remote interface is just the only internet connection from the UTM site.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0

    Hallo Casi,

    Herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    You can use the approach in Auto-Failover IPsec VPN Connections, but you'll need to "translate" from UTM to XG for the Central site.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML