If you are running multiple IPSec VPN connections to the same IPSec site (for instance, if you are using SD-WAN), then this is something that will interest you. As you know, SD-WAN has got very good IPSec VPN failover options, but if you want your VPN connections to be able to fail over to each other, then you need to also configure failover for the IPSec VPN connections.
This article explains how to configure failover for multiple IPSec VPN using SD-WAN network.
I am a big fan of SD-WAN and the technology behind it. I have been using it for a couple of years now and it has never let me down. It is pretty simple and easy to setup and configure SD-WAN for multiple devices. The idea behind SD-WAN is to provide a simple, low overhead way to migrate your branch offices to the cloud. The concept is to use the cloud to provide your branch offices with capacity and then remove local servers and network capacity at that branch office. This will allow you to consolidate your IP addresses and reduce the cost of maintaining your branch offices.
1.What is the article’s purpose?
The methods to setup multiple IPsec VPN connections for redundancy are described in this article. If the main VPN connection fails, the backup Internet VPN connection takes over.
2.Diagram
Details:
1st-generation Sophos Firewall (SF1)
- ISP 1 has IP 192.168.2.103 set at Port 2 and ISP 2 has IP 192.168.2.117 configured at Port 3 on a device with two internet connections.
- The LAN subnet is setup using IP 10.145.41.1/24 and DHCP to assign devices to connected devices at Port 1.
Sophos Firewall 2 is a new firewall from Sophos (SF2)
- An internet connection with IP 192.168.2.119 is setup at Port 2 on the device.
- The LAN subnet is setup with IP 10.146.41.1/24 and DHCP to assign devices to connected devices at Port 1.
3.Scenario
Using two ISP 1 and ISP2 lines, we will create two IPSec Site to Site VPN connections from Sophos Firewall 1 to Sophos Firewall 2.
After that, an IPSec failover setup will be carried out, so that if the IPSec VPN connection with ISP 1 fails, the IPSec VPN connection with ISP 2 will take its place.
4.Action to be taken
1st-generation Sophos Firewall:
- Create LAN subnet profiles for both local and distant networks.
- Using ISP 1, establish an IPSec VPN connection.
- Using ISP 2, establish an IPSec VPN connection.
- To enable VPN traffic, add two firewall rules.
- For the VPN zone, open two HTTPS and PING services.
Sophos Firewall 2 is a second-generation firewall by Sophos.
- Create LAN subnet profiles for both local and distant networks.
- To ISP 1, establish an IPSec VPN connection.
- To ISP 2, establish an IPSec VPN connection.
- Failover for IPSec VPN connections should be configured.
- To enable VPN traffic, add two firewall rules.
- For the VPN zone, open two HTTPS and PING services.
Result.
5.Configuration.
Sophos Firewall 1 (version 5.1)
Create profiles for both local and distant LAN subnets in 5.1.1.
Click Hosts and Services > IP Host and click Add to create a local LAN with the following parameters:
- SF1 LAN is the name of the network.
- IPv4 is the most recent version of the Internet Protocol.
- *Network type
- 10.145.41.0 – Subnet /24[255.255.255.0]. 10.145.41.0 – Subnet /24[255.255.255.0]. IP address*: 10.145.41.0 – Subnet /24[255.255.255.0].
- Save the file.
Click Hosts and Services > IP Host and click Add to create a remote LAN with the following parameters:
- SF2 LAN is the name of the network.
- IPv4 is the most recent version of the Internet Protocol.
- *Network type
- 10.146.41.0 – Subnet /24[255.255.255.0]. 10.146.41.0 – Subnet /24[255.255.255.0]. IP address*: 10.146.41.0 – Subnet /24[255.255.255.0].
- Save the file.
5.1.2.Use ISP 1 to establish an IPSec VPN connection.
Click VPN > IPsec Connection and click Add. Create an IPsec VPN connection with the parameters as shown below and use the IPS1 port as Listening Interface.
Configure the following options in the General settings:
- SF1 to SF2 ISP1 is the name of a program that converts SF1 files to SF2 files.
- Select IPv4 as the IP version.
- Select Site-to-Site as the connection type.
- Type of gateway: Only responds.
Encryption should be configured using the following parameters:
- Select IKEv2 as a policy.
- Select the kind of authentication you want to use. Key that has been provided in advance
- In the two boxes, type the password. Pre-shared key and pre-shared key that is repeated.
Configure the following options in the Gateway settings:
- Select Port2 – 192.168.2.103 as the listening interface.
- Enter 192.168.2.119 as the SF2 IP WAN address.
- Select the SF1 LAN profile for the local subnet.
- Select the SF2 LAN profile for the remote subnet.
- Save the file.
5.1.3.Use ISP 2 to establish an IPSec VPN connection.
Create a new IPsec connection with the following details and the ISP2 port as the Listening Interface.
Configure the following options in the General settings:
- SF1 to SF2 ISP2 is the name of the program.
- Select IPv4 as the IP version.
- Select Site-to-Site as the connection type.
- Select Respond only as the gateway type.
Encryption should be configured using the following parameters:
- Choose IKEv2 as your policy.
- Select Preshared key as the authentication type.
- In the two boxes, type the password. Pre-shared key and pre-shared key that is repeated.
Configure the following options in the Gateway settings:
- Select Port3 – 192.168.2.117 as the listening interface.
- Enter 192.168.2.119 as the SF2 IP WAN address.
- Select the SF1 LAN profile for the local subnet.
- Select the SF2 LAN profile for the remote subnet.
- Save the file.
The following are the two freshly established IPsec VPN connections.
To activate these two VPN connections, click the red circle symbol in the Status Active column.
5.1.4. Allow VPN traffic by adding two firewall rules.
Click Rules and policies > Add Firewall Rule > New firewall rule. Create 2 firewall rule as shown below.
5.1.5. For the VPN zone, open two HTTPS and PING services.
We need to open HTTPS and PING services on the VPN zone to be able to ping between the hosts of two devices SF1 and SF1.
To open go to Administration > Device Access.
To save the VPN zone, choose HTTPS and PING services and click Apply.
Sophos Firewall 2 (version 5.2)
Create profiles for both local and distant LAN subnets in 5.2.1.
Click Hosts and Services > IP Host and click Add to create a local LAN with the following parameters:
- SF1 LAN is the name of the network.
- IPv4 is the most recent version of the Internet Protocol.
- *Network type
- IP address*: 10.145.41.0 – Subnet /24[255.255.255.0].
- Save the file.
Click Hosts and Services > IP Host and click Add to create a remote LAN with the following parameters:
- SF2 LAN is the name of the network.
- IPv4 is the most recent version of the Internet Protocol.
- *Network type
- IP address*: 10.146.41.0 – Subnet /24[255.255.255.0].
- Save the file.
Create an IPSec VPN connection to ISP 1 in step 5.2.2.
Click VPN > IPsec Connection and click Add. Create IPsec VPN connection using below parameters.
Configure the following options in the General settings:
- SF2 to SF1 ISP1 is the name of a program that converts SF2 files to SF1 files.
- Select IPv4 as the IP version.
- Select Site-to-Site as the connection type.
- Initiate the connection using the gateway type.
Encryption should be configured using the following parameters:
- Select IKEv2 as a policy.
- Select the kind of authentication you want to use. Key that has been provided in advance
- In the two boxes, type the password. Pre-shared key and pre-shared key repetition (enter the same password as entered on SF1).
Configure the following options in the Gateway settings:
- Select Port2 – 192.168.2.119 as the listening interface.
- 192.168.2.103 is the IP WAN (ISP 1) address for SF1.
- Select the SF2 LAN profile for the local subnet.
- Select the SF1 LAN profile for the remote subnet.
- Save the file.
Create an IPSec VPN connection to ISP 2 in step 5.2.3.
Using the information below, create a new IPsec connection.
Configure the following options in the General settings:
- SF2 to SF1 ISP2 is a program that converts SF2 files to SF1 files.
- Select IPv4 as the IP version.
- Select Site-to-Site as the connection type.
- Select the kind of gateway. Connect the two devices.
Encryption should be configured using the following parameters:
- Choose IKEv2 as your policy.
- Select Preshared key as the authentication type.
- In the two boxes, type the password. Pre-shared key and pre-shared key repetition (enter the same as in SF1).
Configure the following options in the Gateway settings:
- Select Port3 – 192.168.2.119 as the listening interface.
- 192.168.2.117 is the IP WAN (ISP 2) address for SF1.
- Select the SF2 LAN profile for the local subnet.
- Select the SF1 LAN profile for the remote subnet.
- Save the file.
The following are the two freshly established IPsec VPN connections.
Configure Failover for IPSec VPN connections in step 5.2.4.
Click Add underneath the Failover Group section.
Click Save after configuring Failover according to the following settings.
The Failover Group section will be shown on the screen below.
To activate and establish the main connection, click the red circle symbol below the Status of the Failover Group that has been established.
5.2.5. Allow VPN traffic by adding two firewall rules.
Click Rules and policies > Add Firewall Rule > New firewall rule. Create 2 firewall rules as shown below.
5.1.5.For the VPN zone, open two HTTPS and PING services.
We need to open HTTPS and PING services on the VPN zone to be able to ping between the hosts of two devices SF1 and SF1.
To open go to Administration > Device Access.
To save the VPN zone, choose HTTPS and PING services and click Apply.
5.3.Result.
Using a computer in the SF1 LAN subnet with IP 10,145.41.11 and successfully pinging a computer in the SF2 LAN subnet with IP 10.146.41.100.
Ping the computer with IP 10.146.41.100 to the machine with IP 10.145.41.11, and you should get a successful response.
Verify that the firewall rules VPNs enable incoming and outgoing traffic by looking up the set of firewall rules on both SF1 and SF2.
On SF1.
On SF2.
Go to Report > VPN and verify IPsec usage.
The IPsec connection will switch to the Internet ISP VPN link 2 if the ISP Internet VPN 1 link is offline.
When we terminate the VPN connection on the ISP1 line, the VPN connection on the ISP line 2 will immediately take its place.
YOU MIGHT ALSO BE INTERESTED IN
This post will be primarily dedicated to configuring IPSec VPN for multiple users on a single device, but there are also plenty of technical blogs that cover that topic.. Read more about ipsec failover sophos xg and let us know what you think.
Related Tags
- fortigate ipsec vpn auto failover
- sd-wan: dual vpn tunnel to data center
- fortigate multiple site to site vpn
- fortigate sd-wan configuration example
- fortigate dialup vpn configuration