This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Redundant site to site VPN between two UTMs

Our client has two locations, each with a Sophos UTM. An IPsec tunnel connects them over one of the two ISPs they are each connected to. Is there any way to either load balance another VPN tunnel over the second ISP in each UTM or failover to a second VPN if either of the ISP connections goes down causing the primary tunnel to fail?

This thread was automatically locked due to age.

Parents

0 BAlfson over 9 years ago

Hi, Andrew, and welcome to the UTM Community!

This became much easier with the introduction of Interface Groups. See www.astaro.org/.../49562-site-site-vpn-redundancy.html

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 comnet_nm over 9 years ago in reply to BAlfson

We're trying to setup the same thing. We have create one tunnel using interface groups as the local interface and availability groups for the remote gateway. This works but if ISP1 goes down on either side the tunnel ends up going from ISP1 to ISP2. Is there a way to keep the tunnel on the same ISP on each side?

I could create 2 tunnels but how do I keep the second tunnel dormant unless the first goes down?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago in reply to comnet_nm

Hi, and welcome to the UTM Community!

What benefit would you hope to achieve from doing that?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 comnet_nm over 9 years ago in reply to BAlfson

Hi Bob,

The goal is to maintain an IPSec tunnel between sites even if one ISP is down. We prefer to keep the tunnel on the same ISP at both ends because speed is better and latency is much lower.

Sophos support has given me mixed answers on this. Their last suggestion was to build 2 tunnels and use a full NAT on the 2nd tunnel to avoid conflicts with the local networks.

Any thoughts, input you have are greatly appreciated.

Thanks!

David
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago in reply to comnet_nm

Support is not the place to go for configuration advice. This can be done with OSPF after binding the IPsec Connections to their respective Interfaces. Google on site:community.sophos.com/products/unified-threat-management/f/58 ospf bind ipsec.

Please share your configuration here.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 9 years ago in reply to comnet_nm

Support is not the place to go for configuration advice. This can be done with OSPF after binding the IPsec Connections to their respective Interfaces. Google on site:community.sophos.com/products/unified-threat-management/f/58 ospf bind ipsec.

Please share your configuration here.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 comnet_nm over 9 years ago in reply to BAlfson

Hi Bob,

I found an article where you refer to a guy in Germany that set up something similar. We duplicated the setup for testing and this appears to work. I'll follow up with more detail once we're 100%.

My German is extremely rusty, but was able to follow along with the screen shots.

Thanks!

David
Cancel
Vote Up 0 Vote Down

Cancel