Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 1719 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec sit-to-site with RSA

corsairetc
Hello, 
recently I was manage backup internet connection. This two connections are connected to cisco router and the yre hadled via BGP protocol. 
My question is:
We have two astaro's conected together vis IPsec site-to-site with RSA key's.
What should I do to add this backup connection to remote astaro. It enough to create second remote gateway with second public IP adress and put there RSA public key on remote side.


This thread was automatically locked due to age.
  • 0
    Usually, the following is done with two, active WAN connections.

    On the side with two WAN connections "WAN 1" and "WAN 2", create an Interface Group "VPN Group" ={WAN 1, WAN 2}.  In the 'IPsec Connection' select "VPN Group" for 'Local Interface'.

    On the other side, create an Availability Group "Central" containing, in order, the IPs of "WAN 1 (Address)" and "WAN 2 (Address)" above.  Use "Central" as the 'Gateway' in the 'Remote Gateway' definition.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thank you, but I has only one wan interface for astaro which is connected from Cisco router of our ISP provider. On this cisco router with BGP protocol is connected this two wan networks. I only known public IP adress of this two internet connections. 
    I try to conclusion, if the remote side want to route ipsec traffic to our backup internet connection, they have to change remote gateway in ipsec connection.
  • 0
    This is a little confusing.  If you really have BGP, then the IP shouldn't change, just the route to it, and that should be invisible to the other site.  If not, the easy solution is to replace the Remote Gateway in the other Astaro with an identical one in "Respond only" mode.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thank you for advice. We have on wan interface set our public IP address for mail purposes. 
    I try to set on remote astaro Respond only mode and add to existing remote gaeway with our public address.
Unfiltered HTML