I have a UTM (9.203-3) running in AWS and terminating IPsec tunnels from 100 sites. To get it working on all the remote sites we had to set the remote VPN ID to the UTM private ip. I would like to have a preconfigured hot standby node running in a second availability zone so that I can just move the Elastic IP address to it in case of an Amazon availability zone failure.
The problem is because we are using the private ip as the remote VPN ID, this means in the event of failure we have to reconfigure all 100 remote gateways to use the standby node's private ip to get the VPN to work.
This problem can easily be solved if UTM allows you to change the "local" VPN ID to a hostname instead of an ip - in Strongswan the setting is called "leftid". Currently this setting is only available under Local RSA Key VPN options and not for preshared key authentication.
I found two feature requests:
VPN: Local VPN ID choices when using Pre-Shared-Key
Expand ipsec.conf control to webadmin
Is someone from the Sophos team is reading this, any thoughts, suggestions will be very appreciated.
This thread was automatically locked due to age.
Guest User!
You are not Sophos Staff.
