Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 13052 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Redundant site to site VPN between two UTMs

AndrewLindzon

Our client has two locations, each with a Sophos UTM.  An IPsec tunnel connects them over one of the two ISPs they are each connected to.  Is there any way to either load balance another VPN tunnel over the second ISP in each UTM or failover to a second VPN if either of the ISP connections goes down causing the primary tunnel to fail?



This thread was automatically locked due to age.
Parents
  • 0
    Hi, Andrew, and welcome to the UTM Community!

    This became much easier with the introduction of Interface Groups. See www.astaro.org/.../49562-site-site-vpn-redundancy.html

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    We're trying to setup the same thing.  We have create one tunnel using interface groups as the local interface and availability groups for the remote gateway.  This works but if ISP1 goes down on either side the tunnel ends up going from ISP1 to ISP2.  Is there a way to keep the tunnel on the same ISP on each side?

    I could create 2 tunnels but how do I keep the second tunnel dormant unless the first goes down?

    Thanks

  • 0 in reply to comnet_nm

    Hi, and welcome to the UTM Community!

    What benefit would you hope to achieve from doing that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    The goal is to maintain an IPSec tunnel between sites even if one ISP is down.  We prefer to keep the tunnel on the same ISP at both ends because speed is better and latency is much lower.

    Sophos support has given me mixed answers on this.  Their last suggestion was to build 2 tunnels and use a full NAT on the 2nd tunnel to avoid conflicts with the local networks.

    Any thoughts, input you have are greatly appreciated.

    Thanks!

    David

  • 0 in reply to comnet_nm

    Support is not the place to go for configuration advice.  This can be done with OSPF after binding the IPsec Connections to their respective Interfaces.  Google on site:community.sophos.com/products/unified-threat-management/f/58 ospf bind ipsec.

    Please share your configuration here.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    I found an article where you refer to a guy in Germany that set up something similar.  We duplicated the setup for testing and this appears to work.  I'll follow up with more detail once we're 100%.

    My German is extremely rusty, but was able to follow along with the screen shots.

    Thanks!

    David

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    I found an article where you refer to a guy in Germany that set up something similar.  We duplicated the setup for testing and this appears to work.  I'll follow up with more detail once we're 100%.

    My German is extremely rusty, but was able to follow along with the screen shots.

    Thanks!

    David

Children
No Data
Unfiltered HTML