Sophos UTM IPSec Fallback with different vendor

During a firewall migration at one of my customers, the IT director asks me If we can configure IPsec fallback for the branch offices. The remote devices are all from Bintec and there are over 30 branch offices out there. First, correct the NAT settings on all devices with this tutorial. I blogged it last year.

Now we will configure the remote Bintec device. Go to VPN/IPsec. This is an example, you can choose whatever you want:

bintec-phase1

bintec-phase2

bintec-sa-status

This is the main vpn setting:

bintec-vpn1

this is the backup vpn setting:

bintec-vpn2

this is the configuration of the Sophos UTM:

IPsec Policy:

ipsec-policy

Remote gateway:

remote-gateway

Main VPN over Unitymedia line:

ipsec1

Backup VPN over Versatel line:

ipsec2

it’s important that you activate “Bind tunnel to local interface” because we will work now with multipath rules. Go to Interfaces & Routing / Interfaces / Multipath Rules and add two rules:

multipath-rules

So the remote network 192.168.22.0 /24 is available over both WAN interfaces (by binding it to the interfaces):

ipsec-view

If you disconnect the main line (in this example Unitymedia), the VPN stays active for over a minute. Have patient when you ping your remote device. After about a minute, your ping is getting back because both recognize that the main VPN tunnel is down and the multipath rule leads to the second line (Versatel). If the main line is back again, the first multipath rule gets active immediately.

 

 

2 thoughts on “Sophos UTM IPSec Fallback with different vendor”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.