Sophos XGS: How to configure Failover for multiple IPSec VPN using SD-WAN

1.The purpose of the article

This article describes the steps to configure multiple IPsec VPN connections for redundancy. If the primary VPN link doesn’t work, the backup Internet VPN link takes its place.

2.Diagram

Details:

Sophos Firewall 1 (SF1)

  • On a device with 2 internet lines, ISP 1 has IP 192.168.2.103 configured at Port 2 and ISP 2 has IP 192.168.2.117 configured at Port 3.
  • The LAN subnet is configured at Port 1 with IP 10.145.41.1/24 and has DHCP configured to allocate devices to connected devices.

Sophos Firewall 2 (SF2)

  • On the device, there is an internet line with IP 192.168.2.119 configured at Port 2.
  • The LAN subnet is configured at Port 1 with IP 10.146.41.1/24 and has DHCP configured to allocate devices to connected devices.

3.Scenario

We will configure 2 IPSec Site to site VPN connections from Sophos Firewall 1 device to Sophos Firewall 2 using 2 ISP 1 and ISP2 lines.

After that, IPSec failover configuration will be performed so that when the IPSec VPN connection with ISP 1 has a problem, the IPSec VPN connection with ISP 2 will be replaced.

4.Step to take

Sophos Firewall 1:

  • Create profiles for local and remote LAN subnets.
  • Create IPSec VPN connection using ISP 1.
  • Create IPSec VPN connection using ISP 2.
  • Add 2 firewall rules to allow VPN traffic.
  • Open 2 HTTPS and PING services for VPN zone.

Sophos Firewall 2:

  • Create profiles for local and remote LAN subnets.
  • Create an IPSec VPN connection to ISP 1.
  • Create an IPSec VPN connection to ISP 2.
  • Configure Failover for IPSec VPN connections.
  • Add 2 firewall rules to allow VPN traffic.
  • Open 2 HTTPS and PING services for VPN zone.

Result.

5.Configuration.

5.1.Sophos Firewall 1

5.1.1. Create profiles for local and remote LAN subnets

Click Hosts and Services > IP Host and click Add to create a local LAN with the following parameters:

  • Name*: SF1_LAN.
  • IP version*: IPv4.
  • Type*: Network
  • IP address*: 10.145.41.0 – Subnet /24[255.255.255.0].
  • Click Save.

Click Hosts and Services > IP Host and click Add to create a remote LAN with the following parameters:

  • Name*: SF2_LAN.
  • IP version*: IPv4.
  • Type*: Network
  • IP address*: 10.146.41.0 – Subnet /24[255.255.255.0].
  • Click Save.

5.1.2.Create IPSec VPN connection using ISP 1

Click VPN > IPsec Connection and click Add. Create an IPsec VPN connection with the parameters as shown below and use the IPS1 port as Listening Interface.

Configure General settings with the following parameters:

  • Name: SF1_to_SF2_ISP1.
  • IP version: select IPv4.
  • Connection type: select Site-to-site.
  • Gateway type: Respond only.

Configure Encryption with the following parameters:

  • Policy: select IKEv2
  • Authentication type: select Preshared key
  • Enter the password in the 2 boxes Preshared key and Repeat preshared key.

Configure Gateway settings with the following parameters:

  • Listening interface: select Port2 – 192.168.2.103.
  • Gateway address: enter SF2’s IP WAN as 192.168.2.119.
  • Local subnet: select profile SF1_LAN.
  • Remote subnet: select profile SF2_LAN.
  • Click Save.

5.1.3.Create IPSec VPN connection using ISP 2.

Create another IPsec connection using the information as shown below and use the ISP2 port as Listening Interface.

Configure General settings with the following parameters:

  • Name: SF1_to_SF2_ISP2.
  • IP version: select IPv4.
  • Connection type: select Site-to-site.
  • Gateway type: select Respond only.

Configure Encryption with the following parameters:

  • Policy: select IKEv2.
  • Authentication type: select Preshared key.
  • Enter the password in the 2 boxes Preshared key and Repeat preshared key.

Configure Gateway settings with the following parameters:

  • Listening interface: select Port3 – 192.168.2.117.
  • Gateway address: enter SF2’s IP WAN as 192.168.2.119.
  • Local subnet: select profile SF1_LAN.
  • Remote subnet: select profile SF2_LAN.
  • Click Save.

The two newly created IPsec VPN connections will appear as follows.

Click on the red circle icon in the Status Active column to enable these 2 VPN connections.

5.1.4. Add 2 firewall rules to allow VPN traffic.

Click Rules and policies > Add Firewall Rule > New firewall rule. Create 2 firewall rule as shown below.

5.1.5. Open 2 HTTPS and PING services for VPN zone.

To be able to ping between the hosts of two devices SF1 and SF1 through IPSec VPN, we need to open HTTPS and PING services on the VPN zone.

To open go to Administration > Device Access.

Select HTTPS and PING services for VPN zone and click Apply to save.

5.2.Sophos Firewall 2

5.2.1. Create profiles for local and remote LAN subnets

Click Hosts and Services > IP Host and click Add to create a local LAN with the following parameters:

  • Name*: SF1_LAN.
  • IP version*: IPv4.
  • Type*: Network
  • IP address*: 10.145.41.0 – Subnet /24[255.255.255.0].
  • Click Save.

Click Hosts and Services > IP Host and click Add to create a remote LAN with the following parameters:

  • Name*: SF2_LAN.
  • IP version*: IPv4.
  • Type*: Network
  • IP address*: 10.146.41.0 – Subnet /24[255.255.255.0].
  • Click Save.

5.2.2.Create an IPSec VPN connection to ISP 1

Click VPN > IPsec Connection and click Add. Create IPsec VPN connection using below parameters.

Configure General settings with the following parameters:

  • Name: SF2_to_SF1_ISP1.
  • IP version: select IPv4.
  • Connection type: select Site-to-site.
  • Gateway type: Initiate the connection.

Configure Encryption with the following parameters:

  • Policy: select IKEv2
  • Authentication type: select Preshared key
  • Enter the password in the 2 boxes Preshared key and Repeat preshared key (enter the same password as entered on SF1).

Configure Gateway settings with the following parameters:

  • Listening interface: select Port2 – 192.168.2.119.
  • Gateway address: enter SF1’s IP WAN (ISP 1) as 192.168.2.103.
  • Local subnet: select profile SF2_LAN.
  • Remote subnet: select profile SF1_LAN.
  • Click Save.

5.2.3. Create an IPSec VPN connection to ISP 2.

Create another IPsec connection using the information below.

Configure General settings with the following parameters:

  • Name: SF2_to_SF1_ISP2.
  • IP version: select IPv4.
  • Connection type: select Site-to-site.
  • Gateway type: select Initiate the connection.

Configure Encryption with the following parameters:

  • Policy: select IKEv2.
  • Authentication type: select Preshared key.
  • Enter the password in the 2 boxes Preshared key and Repeat preshared key (enter the same as in SF1).

Configure Gateway settings with the following parameters:

  • Listening interface: select Port3 – 192.168.2.119.
  • Gateway address: enter SF1’s IP WAN (ISP 2) as 192.168.2.117.
  • Local subnet: select profile SF2_LAN.
  • Remote subnet: select profile SF1_LAN.
  • Click Save.

The two newly created IPsec VPN connections will appear as follows.

5.2.4. Configure Failover for IPSec VPN connections.

Below the Failover Group section, click Add.

Configure Failover according to the following parameters and click Save.

The following screen will be displayed for the Failover Group section.

Click on the red circle icon below the Status of the Failover Group that has been created to activate and establish the primary connection.

5.2.5. Add 2 firewall rules to allow VPN traffic

Click Rules and policies > Add Firewall Rule > New firewall rule. Create 2 firewall rules as shown below.

5.1.5.Open 2 HTTPS and PING services for VPN zone.

To be able to ping between the hosts of two devices SF1 and SF1 through IPSec VPN, we need to open HTTPS and PING services on the VPN zone.

To open go to Administration > Device Access.

Select HTTPS and PING services for VPN zone and click Apply to save.

5.3.Result.

Using a computer in SF1 LAN subnet with IP 10,145.41.11 and pinging a computer in SF2 LAN subnet with IP 10.146.41.100 and successful ping results..

Do the reverse ping from the machine with IP 10.146.41.100 to the machine with IP 10.145.41.11 and the result is a successful ping.

Access the list of firewall rules on both SF1 and SF2 to verify that the firewall rule VPNs allow inbound and outbound traffic.

On SF1.

On SF2.

Go to Report > VPN and verify IPsec usage.

Whenever the ISP Internet VPN 1 link is down, the IPsec connection will switch to the Internet ISP VPN link 2.

We will try disconnecting the VPN connection of the ISP1 line and we will see that the VPN connection of the ISP line 2 will automatically replace.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.