Scribd Logo
Upload

Welcome to Scribd!

  • Support Sophos Com Support S Article KB 000035828 Language e

    Uploaded by

    jasjusr
    14 views23 pages

    Original Title

    support_sophos_com_support_s_article_KB_000035828_language_e(1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views23 pages

    Support Sophos Com Support S Article KB 000035828 Language e

    Uploaded by

    jasjusr

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 23

    PRODUCTS SOLUTIONS PARTNERS COMPANY

    Search... LOGIN

    HOME

    Quick Links
    Sophos XG Firewall: How to configure an IPsec VPN
    failover with multiple connections
    Sample Submissions
    KB-000035828 Jun 19, 2020 6 people found this article helpful

    Sophos Community
    English
    Sophos Labs

    Twitter Support
    Overview
    This article describe the steps to configure multiple IPsec VPN connections for redundancy. If ISP1 Internet link
    goes down, a failover ISP2 Internet link takes place.

    The following sections are covered:

    Configuring Sophos Firewall 1


    Configuring Sophos Firewall 2
    Results
    Related information

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Applies to the following Sophos products and versions
    Sophos Firewall

    Configuring Sophos Firewall 1


    Add local and remote LAN
    1. Go to Hosts and Services > IP Host and select Add to create the local LAN.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    2. Go to Hosts and Services > IP Host and select Add to create the remote LAN.

    Create an IPsec VPN connection


    1. Go to VPN > IPsec Connections and select Add. Create a connection using the following parameters and using
    ISP1 as the Listening Interface.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    2. Create another connection using the following parameters and using ISP2 as the Listening Interface.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    3. The following screen will be displayed.

    4. Click the icon under Status (Active) to activate the connections.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Add two firewall rules allowing VPN traffic

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    1. Go to Firewall and click +Add Firewall Rule. Create two User/Network Rule as shown below.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Configuring Sophos Firewall 2
    Add local and remote LAN
    1. Go to Hosts and Services > IP Host and select Add to create the local LAN.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    2. Go to Hosts and Services > IP Host and select Add to create the remote LAN.

    Create an IPsec VPN connection


    1. Go to VPN > IPsec Connections and select Add. Create a connection using the following parameters and using
    ISP1 as the Gateway Address.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    2. Create another connection using the following parameters and using ISP2 as the Gateway Address.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    3. The following screen will be displayed.

    4. Under the Failover Group section, click Add.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    5. Configure the Failover Group according to the following parameters and then click Save.

    Note: Starting from SFOS version 17.5, you can enable the Automatic failback option to automatically fail back
    to the primary IPsec connection when it is restored.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
     

    6. The following screen will be displayed for the Failover Group section.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    7. Click the tidy_fix_alticon under Status of the Failover Group that was created to activate and establish the

    primary connection.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Add two firewall rules allowing VPN traffic
    1. Go to Firewall and click +Add Firewall Rule. Create two User/Network Rule as shown below.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Results
    A ping test from a machine behind Sophos Firewall 1 to a machine behind Sophos Firewall 2 and vice versa should
    work.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Go to Firewall and verify that VPN rules allow ingress and egress traffic.

    Go to Reports > VPN and verify the IPsec usage.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Click on the connection name for details.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Whenever ISP1 Internet link goes down, the IPsec connection failovers to ISP2 Internet link.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Note:

    Make sure that VPN firewall rules are on the top of the firewall rule list.
    In a head and branch office configuration, the Sophos Firewall on the branch office usually acts as the tunnel
    initiator and the Sophos Firewall on the head office as a responder due to the following reasons:
    When the branch office device is configured with a dynamic IP address, the head office device cannot
    initiate the connection.
    As the branch offices number vary, it is recommended that each branch office retry the connection
    instead of the head office retrying all connections to the branch offices.

    Related information
    Sophos XG Firewall v17: How to enable IKEv2 for IPsec VPN
    Sophos Firewall: How to change firewall rule order
    Sophos Firewall: How to set a Site-to-Site IPsec VPN connection using a preshared key

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Sophos Firewall: How to establish a Site-to-Site IPsec VPN connection using RSA Keys
    Sophos Firewall: How to establish a Site-to-Site IPsec connection using Digital Certificates
    Sophos Firewall: How to apply NAT over a Site-to-Site IPsec VPN connection
    Sophos Firewall: How to establish a Site-to-Site VPN connection between Cyberoam and Sophos Firewall
    using a preshared key
    Sophos Firewall: How to create a hub and spoke IPsec VPN
    Sophos Firewall: Troubleshooting steps when traffic is not passing through the VPN tunnel

    Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical
    issues.

    Previous article ID: 123305

    Did this article provide the information you were looking for?
    Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For
    technical support post a question to the community. Or click here for new feature/product improvements.
    Alternatively for paid/licensed products open a support ticket.
    Yes No

    Submit

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

    You might also like