active/active IPsec with 2 ISPs?

Hi Bob,

This post is dated from two years, but I don't see much post about it. Is there another method to get the VPN IPsec active/active done, and load balancing traffic?

I checked your post with the "interface groups", but I think I'm doing something wrong.

Can you tell me more about this approach, because on the post you're giving the details for an active/passive VPN.

From what I understood, I have created two "interface groups" on each UTM, one for data, one for VOIP.

Interfaces

UTM1

interface group data : ip_utm1_wan1, ip_utm1_wan2

interface group voip : ip_utm1_wan2, ip_utm1_wan1

UTM2

interface group data : ip_utm2_wan1, ip_utm2_wan2

interface group voip : ip_utm2_wan2, ip_utm2_wan1

VPN Remote Gateway

UTM1

Remote 1 : respond only

Remote 2: respond only

UTM2

initiate 1 : Avalaibility group data (ip_utm1_wan1, ip_utm1_wan2)

initiate 2 : Avalaibility group voip (ip_utm1_wan2, ip_utm1_wan1)

VPN Connections

UTM1

Connection data :

Remote GW Respond only

Local Interface : interface group data

Connection voip :

Remote GW Respond only

Local Interface :interface group voip

UTM2

Connection data :

Remote : Avalaibility group data

Local Interface : interface group data

-> this will connect to "ip_utm1_wan1" from "ip_utm2_wan1".

Connection voip :

Remote : Avalaibility group voip

Local Interface : interface group voip

-> this will connect to "ip_utm1_wan2" from "ip_utm2_wan2".

Result

The first VPN ("data") went UP, but I got a logic route error on the second VPN ("voip") : "utm2 pluto[57682]: "S_IPsec VOIP" #6: cannot route -- route already in use for "S_IPsec DATA""

I tried to bind tunnel to the local interface, but I don't really know what that does.

Any ideas or could you share your config? Thank you anyway :)

Salut !

In fact, an active/active is done differently, but I don't think it's what you want.  This has only been possible since a little more than three years ago.  I copied a blog post by Michael Klehr here.  I had intended to translate it into English, but it has so many pictures that I never took the time.

He creates two complete tunnels using two WAN connections in each site.  The trick to this is binding the IPsec Connections on each side to a particular interface.  This prevents WebAdmin from automatically creating routes for the traffic so that you can use Multipath rules to select which traffic goes over which tunnel.  He uses Interface Groups because he wants all traffic to use one connection as a priority and only use the other instantaneously when the first tunnel fails.  I don't think that's what you want.

The approach in the current thread is different.  It creates one tunnel for VoIP traffic and a second one for all other traffic with each tunnel failing over to the other connection if there's a problem.  You do not want to bind the tunnels to an interface when using this approach.

The only time you need a 'Respond only' gateway is when you don't know the IP/FQDN from which the other site is coming.

I'm better at seeing things with pictures of configurations as in Michael's blog, so I may not have followed your description.  I suspect that you can use 'Initiate connection' every where and that you may have mixed up where to use Interface Groups and Availability Groups.  If that hint doesn't resolve the issue, please post pictures of the Edits of the IPsec Connectiosn and Remote Gateways from both UTMs.

Cheers - Bob

Hi Bob,

I followed the tutorial that you have mentioned (https://community.sophos.com/products/unified-threat-management/w/utm-wiki/3/sophos-utm-multiple-s2s-ipsec-vpn-mit-failover-tutorial-de), and it works like a charm. 

To validate the setup I used tcpdump and I saw that the UTM was effectively using round robin to balance the traffic between the tunnels.

Thank you very much !