Multiple SSIDs with Cisco Access Points

In this example I will show you how to configure multiple SSIDs on a dual-band autonomous Cisco access point. The interface “Dot11Radio0” is for 2.4 GHz and “Dot11Radio1” for 5 GHz. We will configure three SSIDs for different VLANs.

Create your VLANs for your wireless network:

dot11 vlan-name Intern vlan 1
dot11 vlan-name Scanner vlan 10
dot11 vlan-name Guest vlan 20

create your SSIDs (bound to the VLANs):

dot11 ssid TestIntern
vlan 1
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestScanner
vlan 10
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]
!
dot11 ssid TestGuest
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii [Your PreSharedKey]

configuration of the 2.4 GHz interface

interface Dot11Radio0
no ip address
!
encryption mode ciphers aes-ccm
! aes-ccm is for WPA2:
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
stbc
beamform ofdm
mbssid
station-role root

Sub-interfaces for VLAN-tagging:

interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

the same configuration for the 5 GHz interface:

interface Dot11Radio1
no ip address
!
encryption mode ciphers aes-ccm
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 10 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid TestGuest
!
ssid TestIntern
!
ssid TestScanner
!
antenna gain 0
no dfs band block
stbc
beamform ofdm
mbssid
channel dfs
station-role root
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio1.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 spanning-disabled
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding

now we need to bridge the wireless data to our cable-network:

interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
bridge-group 20
bridge-group 20 spanning-disabled
no bridge-group 20 source-learning

the configuration ip address will be configured to the bridge interface:

interface BVI1
ip address 192.168.1.50 255.255.255.0

keep in mind that the “native” encapsulation in this example is “untagged VLAN 1” so if you configure a VLAN trunk to the access point, VLAN 1 needs to be untagged.

 

Have a nice weekend! 🙂

 

Enabling advanced CLI on HP v1910 Switches

I always thought, that the command line of the Comware OS based 1910/1920 switches are limited because they are “cheap”. But I found out to enable the full CLI to configure the devices like a 5000-series Switch.

You can enable the full CLI with the following command:

<HP 1920G Switch>_cmdline-mode on
All commands can be displayed and executed. Continue? [Y/N]y
Please input password:**********************
Warning: Now you enter an all-command mode for developer’s testing, some commands may affect operation by wrong use, please carefully use it with our engineer’s direction.

hp-advanced-cli

the password to enable this:

Jinhua1920unauthorized

Hewlett-Packard… really??? (Jinhua is a prefecture-level city in central Zhejiang province in eastern China). You can now (finally) configure your switch with the known comware-commands:

hp-advanced-cli-dis_cur

You need to enable the advanced CLI mode on every Telnet/SSH-session. I’m very happy that I discovered this. I hope it helps you a lot!

 

Have a nice and sunny weekend! 🙂

 

 

Secure Exchange Webservices with Sophos UTM WAF

current status of this guide: 18th July 2016 (Exchange 2016 compatible)

There are many tutorials about securing Exchange webservices with the Webserver Protection from Sophos UTM but some are outdated or are not working any more. So I will show you a working configuration and will keep this tutorial up2date. Login to your Sophos UTM WebAdmin, deactivate the DNAT and configure your Exchange server under “Real Webservers”:

waf-realserver

upload your SSL certificate to the Sophos UTM store to publish the site via the virtual webservers:

waf-certificate

there are three Exchange webservices: ActiveSync for pushmail with mobile devices, Outlook Anywhere (RPC) for secure sync with Outlook clients and the Outlook Web App for accessing your mails via browser. I combined all services in a single profile and built a second profile for autodiscover.

waf-firewall-autodiscover

Skip Filter rules:

960015
960911

Static URL Hardening:

/autodiscover
/Autodiscover

Firewall-Profile for OWA:

waf-firewall-owa

Skip Filter rules:

960015
981203
960010
960018
981204
960032
981176

Static URL Hardening:

/ecp
/ECP
/ews
/EWS
/Microsoft-Server-ActiveSync
/oab
/OAB
/owa
/OWA
/rpc
/RPC
/mapi
/MAPI
/

after this you need to configure both virtual webservers for the URLs autodiscover.company.com and owa.company.com:

waf-virtual-autodiscover

 

waf-virtual-owa

at the end you need to configure exceptions to make everything work. We will configure four exceptions for specific URLs:

Title: AV exception for OWA
Skip: Antivirus
Virtual Webserver: “Exchange OWA”
for paths:
/owa/ev.owa*
/OWA/ev.owa*

Title: exception for autodiscover
Skip: Static URL Hardening
Virtual Webserver: “Exchange Autodiscover”
for paths:
/autodiscover/*
/Autodiscover/*
Advanced: Never change HTML during Static URL Hardening or Form Hardening

Title: exception for OWA
Skip: Static URL Hardening
Virtual Webserver: “Exchange OWA”
for paths:
/ecp/*
/ECP/*
/ews/*
/EWS/*
/Microsoft-Server-ActiveSync*
/oab/*
/OAB/*
/owa/*
/OWA/*

Advanced: Never change HTML during Static URL Hardening or Form Hardening

Title: exception for Outlook Anywhere
Skip: (everything:) Antivirus, Static URL Hardening, Form Hardening, Cookie Signing, Bad Reputation, Outbound HTTP Policy, Protocol Anomalies, Protocol Violations, Bad Robots, Request Limits, SQL Injection Attacks, Generic Attacks, Trojans, Tight Security, XSS Attacks
Virtual Webserver: “Exchange OWA”
for paths:
/rpc/*
/RPC/*
/mapi/*
/MAPI/*

Feel free to discuss this in the comments. I saw some “ModSecurity” messages at one of my customer and skipped additionally the rules 981176, 960009, 900000, 960911, 960904, 960035 and Outlook Anywhere stops working! I don’t know why skipping some rules is breaking the RPC service… just keep that info in mind. I’m using the above configuration at all of my customers.

 

 

The meaning of the Cisco WLC Ports

wlc-ports

  • “management”
    Main-Interface that is bound to the physical interfaces. For the WLC 5520, the “management” interface lies on the installed 10 Gbit Ports “Port 1” and “Port 2”. When you activate the LAG function, all physical ports (except the yellow copper ports) will be bound to one LAG. Enabling or disabling the LAG option is only possible while your WLC is not configured with “Redundancy SSO” / High Availability. In an HA-Environment, the configured IP address is a virtual IP address which are shared by both WLCs. If the primary WLC fails, the secondary WLC is taking over the management IP. The management IP is the target for all your access points.
  • “redundancy-management” (M)
    Beside the Redundancy-Port, another Interface for Heartbeats. This interface delivers a SSH access. Every HA-Node / WLC has its own IP address. For example, in a case of a broken HA situation, you can access the standby-controller directly to make debugs, troubleshooting and rebooting the system (it’s the “reset system” command ^^). This interface automatically configures the same VLAN tag as the “management” interface.
  • Serial line / COM port (IOIOI)
    This is the serial port of the WLC. Access is possible via 9600 Baud. Initial-configuration is done at this interface. If a WLC has no configuration (factory default) an automatic-install process starts after 60 seconds. You can abort this by answering the question with “n” or “no”.
  • “service-port” (SP)
    The service port is an additional port for accessing the devices via SSH or webinterface. If the device is configured for High Availability, the service port only accept SSH login. There is no possibility to configure a VLAN tag or a gateway, so you need to come from the same net or connecting from a different network via source natting. The IP address must be different to the “management”-interface.
  • “redundancy-port” (RP)
    The redundancy-port is for configuration-sync and for the keep-alive UDP packets (heartbeat). The default-timer for heartbeats is 100 milliseconds. The IP address will be automatically configured by activating “Redundancy SSO” / High Availability. The first two octets of the IP address will configured to 169.254 and the last ones will be assumed from the “redundancy-management” interface. The physical ports can be connected directly via copper or transported via VLANs. The RP has no VLAN tag configuration so the directly connected switch-port needs to be an access-port with the untagged VLAN.

Updating Cisco ASA HA Cluster

Last week I updated a Cisco ASA HA cluster within a work project. The customer runs about 200 EasyVPN and IPsec VPN Site2Site connections. Our goal was to update the Cisco ASA HA cluster without an interrupt. The installed firmware version was 8.6(1)2 and we wanted to go straight to 9.4(2)11. In this case I was using two notebooks and connect them directly to the console port. After copying the file from TFTP to flash, we saw the message “No Cfg structure found in downloaded image file”. So the version 8.6 couldn’t handle the new file format of the 9.4 image. We need to insert a stopover and installed the version 9.1.3, later 9.4.2. Here is a spreadsheet for your upgrade process:

 

Current ASA Image First Upgrade Final Upgrade
8.2.x 8.4.6 8.4.7 or later, 9.1.3 or later
8.3.x 8.4.6 8.4.7 or later, 9.1.3 or later
8.4.1 through 8.4.4.10 8.4.6, 9.0.2 8.4.7 or later, 9.1.3 or later
8.5.x 9.0.2 9.1.3 or later
8.6.1 9.0.2 9.1.3 or later
9.0.1 9.0.2 9.1.3 or later
9.0.1.1 and later
(to include 9.0.2 and later)
Not Applicable 9.1.3 or later
9.1.1 9.1.2 9.1.3 or later
9.1.1.1 and later Not Applicable 9.1.3 or later

The following spreadsheet shows the update-steps for a Cisco ASA HA cluster. If you need to insert a stopover, repeat the steps 3-10:

Step Cisco ASA primary Cisco ASA secondary
1 Save the configuration (write memory) and document your configuration (pager lines 0; show run)
2 Viewing the boot variables (show bootvar)
3 Copy the firmware image and ASDM image from TFTP to Flash (copy tftp flash)
4 Setting the primary device to standby (no failover active)
5  Setting the boot firmware and ASDM image (delete the old “boot system xxx” entry and configure the new image to boot)
6  reload
7 Check HA-cluster status (show failover state)
8  Setting the primary device as active again (failover active)
9 Step 2-6
10  Save the configuration (write memory)
11  Restart the secondary device (failover reload-standby)
12  Check HA-cluster status (show failover state)
13 Save the configuration (write memory) and document your configuration (pager lines 0; show run)
14  Compare both configurations (the one before updating the cluster and the current configuration with the new firmware; you can use Notepad++ for this)

 

There are some different failover states.

One host is down or rebooting:

This host – Primary Activ
Other host – Secondary Failed

While syncing:

This host – Primary Activ
Other host – Bulk Sync

Cluster running in good state:

This host – Primary Activ
Other host – Secondary Standby Ready

After updating the Cisco ASA cluster (with the unexpected stepover) all VPN tunnels are working fine, no one had a disconnect 🙂

Sophos released UTM Update 9.404-5

Sophos released a new maintenance release for the UTM. REDs and Wifi APs will perform firmware upgrade
Fixes:

NUTM-1775 [Access & Identity] 35668: DHCP Broadcast over all RED LAN ports causing wrong IP address assignment
NUTM-1784 [Access & Identity] implement “TLS 1.2 only” switch for RED to UTM communication
NUTM-2404 [Access & Identity] 36172: RED15 has loaded fallback network config
NUTM-2841 [Access & Identity] 36224: WARNING: CPU: 1 PID: 0 at net/netfilter/nf_conntrack_expect.c:51 nf_ct_unlink_expect_report+0x5e/0xd1 [nf_conntrack]()
NUTM-3415 [Access & Identity] PPTP VPN with an IP Pool 172.16.0.0/20 doesn’t work correctly
NUTM-3439 [Access & Identity] After upgrade to 9.4 and using SSL VPN the IPv4 traffic is not going over the full tunnel
NUTM-3536 [Access & Identity] RED15 traffic not possible, red_server reports “Unable to get proc entry”
NUTM-3719 [Access & Identity] mdw errors when configuring a RED device
NUTM-3735 [Access & Identity] SSL VPN IP pool should not be usable without IPv4
NUTM-3757 [Access & Identity] SSL VPN: don’t push IPv6 interface address if no IPv6 route is pushed
NUTM-3763 [Access & Identity] SSL VPN client cannot be downloaded from userportal with IE
NUTM-3843 [Access & Identity] SSL VPN route injection into OSPF not working properly after update to 9.4
NUTM-3867 [Access & Identity] SMC: WEP passwords are not pushed correctly
NUTM-3924 [Access & Identity] PPTP and iOS with config from userportal doesn’t work properly
NUTM-3934 [Access & Identity] RED: CON_CLOSE provide information to UTM if peer is not stable enough
NUTM-3962 [Access & Identity] IPsec doesn’t work with SHA2
NUTM-4173 [Access & Identity] Since Update to 9.4 IPsec site-to-site connections won’t work after pppoe reconnect
NUTM-3982 [Basesystem] Errors in Notifications Database
NUTM-2677 [HA/Cluster] 36293: The Slave node in HA doesn’t show any resource usage
NUTM-2235 [Network] 35662: Additional adresses of a PPPoE interface are not reachable after takeover
NUTM-3684 [Network] APN can’t be changed if LTE is selected as network
NUTM-3061 [Reporting] Remote Access filtering is not working correctly if the username contains a “\” sign
NUTM-3662 [Reporting] wrong descriptions for CRIT-065 and INFO-007 in MIB file
NUTM-3753 [Reporting] Remote Access Accounting not recording L2TP sessions
NUTM-4306 [Reporting] postgres[xxxxx]: [x-x] STATEMENT: select src_ip, virt_ip, virt_ip6, logintime, service from vpn where status = 0 and logintime = logouttime LIMIT 1000
NUTM-3689 [SUM] device agent claims SUM objects
NUTM-3028 [Virtualization] HyperV interface handling (9.4)
NUTM-3482 [WAF] form template unchanged with update from 9.355 to 9.4
NUTM-3694 [WAF] Customized mod_security rule didn’t work correctly
NUTM-3748 [WAF] Content length and content get lost when using form-harding
NUTM-4119 [WAF] SSL is not used to transfer sticky session cookies
NUTM-3172 [WebAdmin] Support tools – PPPoE shows itfhw instead of vlantag
NUTM-3113 [Web] Proxy freeze after Savi update
NUTM-3118 [Web] “Remove embedded objects” / “Disable JavaScript” shows script code
NUTM-3367 [Web] “Unblock URL” button is displayed even when “Users/Groups Allowed to Bypass Blocking” is empty
NUTM-3485 [Web] HTTP Proxy profile matching doesn’t work for DNS groups which contain IPv6 addresses
NUTM-3550 [Web] frox segfaults/core dumps while uploading files
NUTM-3554 [Web] Error returned from samba command on AD sync
NUTM-3617 [Web] Sandstorm Database Error
NUTM-3710 [Web] New exception regex for Chrome Update
NUTM-3844 [Web] If using a ‘ character in file name, postgres is not able to insert this to the TransactionLog (Sandbox)
NUTM-3920 [Web] Sandbox: cleaning up old data in TransactionLog on slave nodes raises postgres errors
NUTM-4055 [Web] HTTP Proxy causing weird log entries in uma.log
NUTM-3039 [WiFi] RADIUS authentication failover via Availability Group not working correctly
NUTM-3072 [WiFi] Hotspot: race condition if multiple logins per MAC
NUTM-3472 [WiFi] wireless.log – download_ca: CA fingerprint overwritten by TA / No trusted fingerprint found in certificate chain HUB.
NUTM-3760 [WiFi] WIFI profile pushed to SMC using same name
NUTM-4117 [WiFi] Mesh AP’s all go down and do not come back up
NUTM-4151 [WiFi] AP30 (possibly other models) not becoming active anymore after update to >= 9.400
NUTM-4126 [[Backend/Devel] Confd] Clean up of duplicate Domain-Regex
NUTM-4142 [[Backend/Devel] Confd] Remote Access Manager can’t deactivate a VPN profile with groups
NUTM-4158 [[Backend/Devel] Confd] confd[xxx]: parse_formats: unrecognized tag format: FUNC__XXX
NUTM-4160 [[Backend/Devel] Confd] Accessing WebAdmin as non-superuser repeatedly raises “NODE_READ_DENIED” error on confd node “migration->tab_visibility”

 

Download (FTP): u2d-sys-9.403004-404005.tgz.gpg

Download (HTTP): u2d-sys-9.403004-404005.tgz.gpg

A documentation of the different Sophos UTM layers

Sophos UTM has many open source services. Each service is for another function. The Web Protection is a squid proxy which can be used via Proxy-IP or via transparent mode. The VPN service “pluto” is an implemenation of strongSwan, etc. A data-packet runs trough many layers. I tried to figure out in which order it happens. I hope they are correct :->

utm-layer

feel free to correct me with your comment. I will be on vacation in Las Vegas, I will answer after my holiday. I wish you a nice weekend! See you!

Sophos released Update 9.402-7

  • Maintenance Release
  • System will be rebooted
  • Connected REDs will perform firmware upgrade
  • Connected Wifi APs will perform firmware upgrade

Changelog:

NUTM-1955 [Access & Identity] 35658: VLAN Interface on top of a bridge disappears from Slave after Reboot
NUTM-1958 [Access & Identity] 34242: Communication error with Amazon AWS server
NUTM-2129 [Access & Identity] 36050: File Copy from network share over RED50 does not work in one direction
NUTM-2234 [Access & Identity] 35592: Backup from 220 to 230 caused eth3 to exist two times
NUTM-2449 [Access & Identity] 36228: RED Server sends more peers as peers are configured
NUTM-2706 [Access & Identity] Still coredumps from argos after installing the new fix from mantis 35353
NUTM-2842 [Access & Identity] 35423: irqd: Support more than 32 cpus
NUTM-2844 [Access & Identity] 36028: 82546GB Gigabit Ethernet Controller: Reset adapter / Detected Tx Unit Hang
NUTM-2950 [Access & Identity] RED15: fix dnsmasq for transparent/split
NUTM-3049 [Access & Identity] 36382: reds-interface does not get IP after re-activating RED device
NUTM-3083 [Access & Identity] IPv6 address in log line shortened
NUTM-3190 [Access & Identity] IPsec site-to-site: Limit of listening interfaces of 300
NUTM-3252 [Access & Identity] High disk I/O during pattern update on smaller UTM appliances
NUTM-3522 [Access & Identity] RED15 with static uplink and dns name as utm hostname doesn’t work correctly
NUTM-3661 [Access & Identity] After deleting red15w mdw crashes
NUTM-1371 [Basesystem] 35523: adbs-maintenance.plx – ERROR: canceling autovacuum task – waits for ShareUpdateExclusiveLock/AccessExclusiveLock
NUTM-1798 [Basesystem] 35862: Confd doesn’t check for valid local time which can lead to dashboard error
NUTM-2804 [Basesystem] 36226: Network Utillization on HW LCD doesn’t match iftop and webadmin values
NUTM-3325 [Email] Bug on Malware scanning UI Text
NUTM-3558 [Email] Sandbox result shows up in messages
NUTM-3575 [Email] Detailed view defective for Sandstorm pending mails
NUTM-3582 [Email] smtpd sometimes gets stuck when creating a cluster
NUTM-3620 [Email] Add capabilities to Quarantine manager’s spool tab to handle multiple items for the same massage
NUTM-2015 [HA/Cluster] Prevent users from changing postgres_secret
NUTM-2290 [HA/Cluster] Prevent backup import from changing postgres_secret
NUTM-2677 [HA/Cluster] 36293: The Slave node in HA doesn’t show any resource usage
NUTM-1956 [Network] 35582: flow monitor invents traffic on wlan1 interface
NUTM-2236 [Network] 34828: don’t start dhclient without interface
NUTM-3156 [Network] Slave interface IP where WAF is listen to get lost after a while
NUTM-3304 [Network] nic-naming: Provide a fix for delayed 210r2 software support
NUTM-3176 [Reporting] In web usage reporting some domains show up as only the suffix
NUTM-2779 [WAF] WAF – Slow HTTP error messages do not match the description
NUTM-3175 [WebAdmin] It is not possible to select a vlan interface for the “Ping Check”
NUTM-3177 [WebAdmin] Sort function in EPP manage computer didn’t work correctly
NUTM-3184 [WebAdmin] Etc\Greenwich set as timezone causes error on dashboard
NUTM-3185 [WebAdmin] Issues while using the “Search Log Files” tab in the “View Log Files” part of webadmin
NUTM-3311 [WebAdmin] Remove Support for TLS v1.0 from Apache Configuration
NUTM-3109 [Web] Proxy stops working without segfault or hint in the logs
NUTM-3114 [Web] ADSSO join didn’t work with special characters like \xF6
NUTM-3123 [Web] HTTP Log is flooded with “Server delivered only 0 of X bytes” messages
NUTM-3124 [Web] HTTP proxy intermittently stuck in ‘recv: Input/output error’
NUTM-3577 [Web] High CPU Load after update to 9.4
NUTM-3076 [WiFi] Split network modes do not work with RED15w
NUTM-3418 [WiFi] RED15w forgets its wireless encryption key after reboot
NUTM-3188 [[Backend/Devel] Confd] Domain-Regex object deployed from SUM will be created more than once
NUTM-3189 [[Backend/Devel] Confd] Auto packetfilter rule is not updated if the destination service object of a NAT will be changed

FTP Link: ftp://ftp.astaro.com/UTM/v9/up2date/u2d-sys-9.401011-402007.tgz.gpg

HTTP Link: http://ftp.astaro.com/UTM/v9/up2date/u2d-sys-9.401011-402007.tgz.gpg

Sophos UTM IPSec Fallback with different vendor

During a firewall migration at one of my customers, the IT director asks me If we can configure IPsec fallback for the branch offices. The remote devices are all from Bintec and there are over 30 branch offices out there. First, correct the NAT settings on all devices with this tutorial. I blogged it last year.

Now we will configure the remote Bintec device. Go to VPN/IPsec. This is an example, you can choose whatever you want:

bintec-phase1

bintec-phase2

bintec-sa-status

This is the main vpn setting:

bintec-vpn1

this is the backup vpn setting:

bintec-vpn2

this is the configuration of the Sophos UTM:

IPsec Policy:

ipsec-policy

Remote gateway:

remote-gateway

Main VPN over Unitymedia line:

ipsec1

Backup VPN over Versatel line:

ipsec2

it’s important that you activate “Bind tunnel to local interface” because we will work now with multipath rules. Go to Interfaces & Routing / Interfaces / Multipath Rules and add two rules:

multipath-rules

So the remote network 192.168.22.0 /24 is available over both WAN interfaces (by binding it to the interfaces):

ipsec-view

If you disconnect the main line (in this example Unitymedia), the VPN stays active for over a minute. Have patient when you ping your remote device. After about a minute, your ping is getting back because both recognize that the main VPN tunnel is down and the multipath rule leads to the second line (Versatel). If the main line is back again, the first multipath rule gets active immediately.

 

 

Advertisment ad adsense adlogger