Applicable Version: 15.01.0 onwards Overview Sophos Firewall (SF) allows VPN failover by allowing you to set multiple remote endpoints for a single IPsec connection. In other words, one IPsec connection can end on multiple remote servers/gateways, and VPN failover can be configured over those servers/gateways. The configuration of multiple endpoints and VPN failover is done in the same page as the standard IPsec connection configuration. This article describes how you can configure an IPsec VPN connection with Multiple Endpoints. Scenario The diagram below shows the schema of the Branch Office (BO) and Head Office (HO) network. Connect BO with HO with an IPsec VPN connection with two (2) Endpoints, namely ISP1 (195.229.241.245) and ISP2 (213.42.25.20). Configure VPN failover between both of these endpoints so that if one goes down, traffic is automatically diverted to the other active endpoint. Configuration You must be logged in to the Admin Console as an administrator with Read-Write permissions for the relevant feature(s). Step 1: Create an IPsec Connection on BO Go to System > VPN > IPsec and click Add to create an IPsec connection using the parameters below. Parameter Value Description Name BO_to_HO The Name to identify the IPsec Connection. Connection Type Site to Site Select the type of connection. Policy DefaultBranchOffice Select the policy to be used for the connection. Action on VPN Restart Initiate Select the action for when VPN services are restarted. Authentication Type Preshared Key Select the type of authentication used while establishing a connection. Preshared Key hr5xb84l6aa9r6 Enter the Preshared Key to be used during authentication. Endpoint1 Local: PortB-203.88.135.105 Remote: 192.229.241.245 Name: BO_to_HO_ISP1 Enter the details of the first endpoint. Endpoint2 Local: PortB-203.88.135.105 Remote: 213.42.25.20 Name: BO_to_HO_ISP2 Enter the details of the second endpoint. Failover Group Name Head_Office The Name to identify the Group of endpoints. Failover Mail Notification Enabled Enable this if you want SF to send emails to the configured email address when failover occurs. Note: Emails can only be sent if the SMTP Server is configured. This is done from System >Administration >Notification . Failover Condition IF... Not able to ConnectTCPPort80 And Not able to ConnectPING On Remote VPN Server Then ‘SHIFT to next Active Connection’ Enter the conditions that will decide when failover is needed. Local Subnet 172.16.16.0/24 Enter the Local Subnet. Multiple Subnets can be added. Allow NAT Traversal Disable Enable NAT traversal if an NAT device is located between your VPN endpoints, i.e. when a remote peer has a private/non-routable IP address. Remote LAN Network 192.168.1.0/24 Enter/Select the IP addresses and netmask of the remote network(s) which will be connected. Click OK to create the IPsec connection. Step 2: Activate Connection Upon clicking OK , the following screen is displayed, showing the connections created above. Click the under Status (Active) to activate the connections. Step 3: Create Corresponding IPsec Connections at HO Create a corresponding IPsec connection at the HO. If SF Devices are deployed at HO, refer to the article How To Establish Site-to-Site VPN Connection using a Preshared Key for instructions. If other devices are deployed at HO, refer to the documentation of the respective devices/vendors. Step 4: Establish connections Once all SF Devices at the Head and Branch Offices are configured, establish a connection between them. Click the under Status (Connection) of the primary connection. In this scenario, the primary connection is BO_to_HO_ISP1. Document Version 1.0 – 17 September, 2015 Parameter Value Description General Settings Name BO_to_HO Name to identify the IPsec Connection Connection Type Site to Site Select the type of connection Policy DefaultBranchOffice Select policy to be used for connection Action on VPN Restart Initiate Select action when VPN services are restarted. Authentication Details Authentication Type Preshared Key Select the type of authentication used while establishing a connection. Preshared Key hr5xb84l6aa9r6 Specify the Preshared Key to be used during authentication Endpoint Details Endpoint1 Local: PortB-203.88.135.105 Remote: 192.229.241.245 Name: BO_to_HO_ISP1 Mention details of first set of endpoints. Endpoint2 Local: PortB-203.88.135.105 Remote: 213.42.25.20 Name: BO_to_HO_ISP2 Mention details of second set of endpoints. Failover Group Name Head_Office Name to identify the Group of endpoints. Failover Mail Notification Enabled Enable if you want SF to shoot emails to the configured email address if failover takes place. Note: Emails can be sent only if SMTP Server is configured from System> Administration > Notification . Failover Condition IF... Not able to Connect TCP Port 80 And Not able to Connect PING On Remote VPN Server Then ‘SHIFT to next Active Connection’ Mention the condition based on which SF can decide that a connection has gone down and failover is needed. Local Network Details Local Subnet 172.16.16.0/24 Specify Local Subnet. Multiple Subnets can be added. Remote Network Details Allow NAT Traversal Disable Enable NAT traversal if a NAT device is located between your VPN endpoints i.e. when remote peer has private/non-routable IP address. Remote LAN Network 192.168.1.0/24 Select IP addresses and netmask of remote network(s) with which connection is to be made. 123305
↧