Beware! This is a LONG post...
at first i want to give you a (relatively) short description of what I have:
3 Sites:
- Site A (Main Site) = 10.100.0.0/14, 192.168.10.0/24
Sophos Virtual UTM (VMWare)
with
1 x 34MBit/34Mbit fibre connection
two interfaces WITHOUT default gw (A1: 217.a.b.c/29 and A2: 217.a.b.c+1/29)
1 x 150Mbit/10Mbit asynchronous cable internet (130.x.y.z/29)
one interface WITH default gw (130.x.y.z-1)
- Site B = 10.104.0.0/14
2 x Sophos UTM 120 (High Availability)
with
1 x 10MBit synchronous connection (B1: 217.d.e.f/29)
one interface WITHOUT default gw
1 x 10MBit synchronous connection (B2: 217.g.h.i/29)
one interface WITHOUT default gw
1 x 150Mbit/10Mbit asynchronous cable internet (95.x.y.z/29)
one interface WITH default gw
- Site C = 10.108.0.0/14 with ONE 10MBit synchronous connection
1 x Sophos UTM 120
with
1 x 5MBit synchronous connection (C: 217.j.k.l/29)
one interface WITHOUT default gw
1 x 16Mbit/1Mbit asynchronous DSL (217.m.n.o)
and what I want to achieve:
- connection from A to C with A's cable connection being the fallback line
- connection from A to B with TWO tunnels:
- 217.a.b.c (A1) to 217.d.e.f (B1)
- 217.a.b.c+1 (A2) to 217.g.h.i (B2)
and a way to load BALANCE THE VPN-TRAFFIC on these tunnels. optionally/ideally A's cable connection will be used in this scenario as fallback line - but this is not the primary focus.
additionally I do NOT want to use A's fibre connection (217.a.b.c/29) for normal internet traffic; so no default route on these interfaces.
And now for the fun part.
What I have done so far:
Site A:
- created interface group IntGA with interfaces A1 and A2 on site A's firewall
- created static routes on site A's firewall:
217.d.e.f/29 via 217.a.b.c-1 on interface A1 (route to site B public IPs 1)
217.g.h.i/29 via 217.a.b.c-1 on interface A2 (route to site B public IPs 2)
217.j.k.l/29 via 217.a.b.c-1 on interface A1 (route to site C public IPs)
10.104.0.0/14 interface route via interface group IntGA (A1,A2)
10.108.0.0/14 interface route via interface A1
- created ipsec tunnels:
defined two ipsec gateways (217.d.e.f (B-IP1) and 217.g.h.i (B-IP2)) both set to initiate connection (to site B)
defined one ipsec gateway (217.j.k.l (C-IP)) set to initiate connection (to site C)
defined two ipsec connections for B:
1 x via interface A1 to B-IP1 and
1 x via interface A2 to B-IP2
defined one ipsec connection for C via interface A1 to C-IP
all ipsec connections are set to bind tunnel to local interface
- defined a multipath rule (any ipv4) (protocol any) (destination 10.104.0.0/14) balance (by connection) (to IntGA)
Site B:
- create interface group IntGB with interfaces B1 and B2
- create static routes on site B's firewall:
217.a.b.c/32 via 217.d.e.f-1 on interface B1 (route to site A's first IP on 34MBit line)
217.a.b.c+1/32 via 217.g.h.i-1 on interface B2 (route to site A's second IP on 34MBit line)
10.100.0.0/14 interface route via interface group IntGB (B1,B2)
- create ipsec tunnels:
defined two ipsec gateways (217.a.b.c (A1) and 217.a.b.c+1 (A2)) both set to initiate connection (to site A)
defined two ipsec connections for a:
1 x via interface B1 to A1 and
1 x via interface B2 to A2
all ipsec connections are set to bind tunnel to local interface
- defined a multipath rule (any ipv4) (protocol any) (destination 10.100.0.0/14) balance (by connection) (to IntGB)
Site C:
- create static route on site C's firewall:
217.a.b.c/29 via 217.j.k.l-1 on interface C (route to A's public IPs on 34MBit line)
10.100.0.0/14 interface route via interface C
- create ipsec tunnels:
defined one gateway (217.a.b.c (A1)) set to initiate connection (to site A)
defined one ipsec connection via Interface C to A1
ipsec connection set to bind tunnel to local interface
Result so far:
- all ipsec tunnels are UP and using correct interfaces/IPs
- ping is working from A to C, A to B and the other way round
BUT
the icmp traffic is NOT being distributed among the two tunnels between A and B.
Always the first tunnel (Interface A1 to B1) is being used; there is no traffic shown on the other interface. Disabling the used tunnel does not work either; once I do that, no traffic is flowing anymore between A and B. I can force the usage of the second tunnel by a) changing the order of the interfaces within the interface group on both sites or b) explicitly use the second interface instead of the interface group in the static interface route on both sites.
I do not have default gateways on any interface used for an ipsec tunnel. Everything is done using static routes. That is the option "Uplink balancing" is disabled.
Can anyone confirm a setup like this is even possible? It should be a "piece of cake" but maybe the load balancing mechanism requires the interfaces to be part of the "Uplink Interfaces" group - which I cannot use as there should be no gateway on the interfaces used for VPN. I don't want "ordinary" internet traffic slowing the VPNs down...
Maybe I'm just thinking too complicated ... [:S]
Can anyone help me with this rather advanced setup?
This thread was automatically locked due to age.
