Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 7747 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple connections between UTM's

mrainey

I have 2 sites each with SG 310 UTM's running Version 9.355. I have an ipsec tunnel on one external interface connecting the devices. The tunnel is  used for RDP sessions and local Internet traffic is also on this interface. Each site has a second external interface. I would like to use the second interface for replication/backup traffic only. Doesn't seem possible to bring up another ipsec tunnel using the second interface, I get a Route already in use message. Is there a solution? Sharing the existing interface tunnel with replication traffic causes a very unsatisfactory user experience.



This thread was automatically locked due to age.
Parents
  • 0

    Mike, it is possible to bind the IPsec Connections to specific interfaces and then use Routing or Multipath rules to select the tunnel to be used for specific traffic.

    If the replication traffic is between different subnets, then you can use the approach I described in Auto-Failover IPsec VPN Connections.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob. Binding to local interface did bring up both tunnels. Replicating using AppAssure like this: Site 1, Internal Subnet 1, AppAssure Core 1  Replicating to Site 2, Internal Subnet 2, AppAssure Core 2. (And vice versa, Core 2 replicates back to Core 1) Since I need both tunnels up at the same time with different traffic going over each tunnel it seems I need Multipath rules? It's not really a failover scenario.

    So my Multipath rule at Site 2 where RDP traffice originates would look like: Internal 2, RDP, to Internal 1, Persistence by Interface, Bind to Interface for VPN 1? (VPN 2 is the one I will use for replication)

Reply
  • 0 in reply to BAlfson

    Thanks Bob. Binding to local interface did bring up both tunnels. Replicating using AppAssure like this: Site 1, Internal Subnet 1, AppAssure Core 1  Replicating to Site 2, Internal Subnet 2, AppAssure Core 2. (And vice versa, Core 2 replicates back to Core 1) Since I need both tunnels up at the same time with different traffic going over each tunnel it seems I need Multipath rules? It's not really a failover scenario.

    So my Multipath rule at Site 2 where RDP traffice originates would look like: Internal 2, RDP, to Internal 1, Persistence by Interface, Bind to Interface for VPN 1? (VPN 2 is the one I will use for replication)

Children
  • 0 in reply to mrainey

    So it looked like my test environment was a success. Traffic from one server at the remote site to a backup server at the home site was going over the dedicated backup VPN while normal RDP sessions were going over the other VPN and web browsing was using the correct interface. Then I noticed that I was not receiving notifications, daily Executive Reports, or Weekly Backups from the remote site.

    All of my remote sites have Request Routing on  DNS Services so they get proper inside resolution on our domain. Looking at Mail Manager I could see that the remote firewall was failing dns for the mail server. Doing a DNS lookup in tools failed, and doing a tracert showed that traffic to servers.ourdomain.com was going out the bind interface instead of the vpn. Shutting down the 2nd VPN tunnel and unbinding the interface on the primary VPN restored proper DNS Request Routing, Email, and Tracert.

    Is there a work around?

  • 0 in reply to mrainey

    I'm not sure what you mean by "I could see that the remote firewall was failing dns for the mail server."  Are you  running split-DNS and was the remote 310 getting the public IP instead of your private IP?

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML