Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 1655 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Redundant IPsec VPNs

sethkush
I have two sites with a UTM at each.  There is a wireless point to point setup between the two sites.  Currently the wireless is setup with an IPsec VPN to provide access between the LANs at both sites.  I would like to have a WAN VPN as a failover for the wireless.  Can I setup uplink balancing on the External and Wireless ports to send IPsec through wireless unless it fails, and still have all internet traffic go through the WAN?


This thread was automatically locked due to age.
Parents
  • 0
    Assuming your current VPN over the wireless link is 

    172.16.1.0/24=10.1.1.110.1.1.2=172.16.2.0/24


    and that your WAN IPs are 184.184.90.90 at your site and 184.184.91.91 at the other:

      In the remote site's Remote Gateway definition, if it is "Initiate Connection," replace the Host definition in 'Gateway' with an Availability Group containing, in order, the Host definition for 10.1.1.1 and a new Host for 184.184.90.90.
    • In your site, create an Interface Group containing, in order, the wireless interface and the External interface.
    • In your IPsec Connection, replace the wireless interface in 'Local Interface' with the new Interface Group just created.

    In essence, you've built a VPN definition that can connect via two paths, not two VPN definitions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Assuming your current VPN over the wireless link is 

    172.16.1.0/24=10.1.1.110.1.1.2=172.16.2.0/24


    and that your WAN IPs are 184.184.90.90 at your site and 184.184.91.91 at the other:

      In the remote site's Remote Gateway definition, if it is "Initiate Connection," replace the Host definition in 'Gateway' with an Availability Group containing, in order, the Host definition for 10.1.1.1 and a new Host for 184.184.90.90.
    • In your site, create an Interface Group containing, in order, the wireless interface and the External interface.
    • In your IPsec Connection, replace the wireless interface in 'Local Interface' with the new Interface Group just created.

    In essence, you've built a VPN definition that can connect via two paths, not two VPN definitions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML