Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 3 subscribers
  • Views 6755 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

active/active IPsec with 2 ISPs?

thomas.bayer
Hi,

is it possible to have an active/active IPsec connection between 2 UTMs (running on 9.3.x)?
Background is that in Site 2 the internet connections from both providers in not very stable...

Site 1:
ISP1: Ext. IP 217.x.x.1 
ISP2: Ext. IP 218.x.x.1

Site 2:
ISP1: Ext. IP 219.x.x.1
ISP2: Ext. IP 220.x.x.1


Could you tell me how to set it up?
I guess I would need active/active uplink balancing and 2 IPsec connections on each site?

Many thanks for your help!


This thread was automatically locked due to age.
Parents
  • 0
    Thomas, there's a better way to do this now: Auto-Failover IPsec VPN Connections.  A few posts before that one will show you the "old" approach with Uplink Balancing.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    This post is dated from two years, but I don't see much post about it. Is there another method to get the VPN IPsec active/active done, and load balancing traffic?

     

    I checked your post with the "interface groups", but I think I'm doing something wrong.

    Can you tell me more about this approach, because on the post you're giving the details for an active/passive VPN.

     

    From what I understood, I have created two "interface groups" on each UTM, one for data, one for VOIP.

     

    Interfaces

    UTM1

    interface group data : ip_utm1_wan1, ip_utm1_wan2

    interface group voip : ip_utm1_wan2, ip_utm1_wan1

     

    UTM2

    interface group data : ip_utm2_wan1, ip_utm2_wan2

    interface group voip : ip_utm2_wan2, ip_utm2_wan1

     

    VPN Remote Gateway

    UTM1

    Remote 1 : respond only

    Remote 2: respond only

     

    UTM2

    initiate 1 : Avalaibility group data (ip_utm1_wan1, ip_utm1_wan2)

    initiate 2 : Avalaibility group voip (ip_utm1_wan2, ip_utm1_wan1)

     

    VPN Connections

    UTM1

    Connection data :

    Remote GW Respond only

    Local Interface : interface group data

     

    Connection voip :

    Remote GW Respond only

    Local Interface :interface group voip

     

    UTM2

    Connection data :

    Remote : Avalaibility group data

    Local Interface : interface group data

    -> this will connect to "ip_utm1_wan1" from "ip_utm2_wan1".

     

    Connection voip :

    Remote : Avalaibility group voip

    Local Interface : interface group voip

    -> this will connect to "ip_utm1_wan2" from "ip_utm2_wan2".

     

    Result

    The first VPN ("data") went UP, but I got a logic route error on the second VPN ("voip") : "utm2 pluto[57682]: "S_IPsec VOIP" #6: cannot route -- route already in use for "S_IPsec DATA""

     

    I tried to bind tunnel to the local interface, but I don't really know what that does.

     

    Any ideas or could you share your config? Thank you anyway :)

  • +1 in reply to scaledem

    Salut !

    In fact, an active/active is done differently, but I don't think it's what you want.  This has only been possible since a little more than three years ago.  I copied a blog post by Michael Klehr here.  I had intended to translate it into English, but it has so many pictures that I never took the time.

    He creates two complete tunnels using two WAN connections in each site.  The trick to this is binding the IPsec Connections on each side to a particular interface.  This prevents WebAdmin from automatically creating routes for the traffic so that you can use Multipath rules to select which traffic goes over which tunnel.  He uses Interface Groups because he wants all traffic to use one connection as a priority and only use the other instantaneously when the first tunnel fails.  I don't think that's what you want.

    The approach in the current thread is different.  It creates one tunnel for VoIP traffic and a second one for all other traffic with each tunnel failing over to the other connection if there's a problem.  You do not want to bind the tunnels to an interface when using this approach.

    The only time you need a 'Respond only' gateway is when you don't know the IP/FQDN from which the other site is coming.

    I'm better at seeing things with pictures of configurations as in Michael's blog, so I may not have followed your description.  I suspect that you can use 'Initiate connection' every where and that you may have mixed up where to use Interface Groups and Availability Groups.  If that hint doesn't resolve the issue, please post pictures of the Edits of the IPsec Connectiosn and Remote Gateways from both UTMs.

     

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    I followed the tutorial that you have mentioned (https://community.sophos.com/products/unified-threat-management/w/utm-wiki/3/sophos-utm-multiple-s2s-ipsec-vpn-mit-failover-tutorial-de), and it works like a charm. 

    To validate the setup I used tcpdump and I saw that the UTM was effectively using round robin to balance the traffic between the tunnels.

     

    Thank you very much !

Reply Children
No Data
Unfiltered HTML