How to configure multipath uplinking for IPsec with a Sophos UTM

  • Article ID: 118975
  • Rating:
  • 2 customers rated this article 1.5 out of 6
  • Updated: 08 Apr 2014

This article will show you the different methods of configuring multipath uplinking for IPsec on a Sophos UTM.

There are three common scenarios of a IPsec multipath uplink setup for the UTM. The following setups are general examples and therefore modifications will be required to suit your network environment.

The first scenario mentioned below is explained in detail, but the others will work similar to it.  Some small differences will be explained at each case.

Known to apply to the following Sophos product(s) and version(s)

Sophos UTM

Operating systems
UTM 9.1 or higher

What To Do

N:M connection with overlapping subnets

  • 192.168.10.0/24:1.1.1.1 2.2.2.2:192.168.20.0/24 IPSE over DSL/SDSL 
  • 192.168.10.0/24:1.1.1.1 4.4.4.4:192.168.20.0/23 IPSE over DSL/DSL

It is common that the office which is the company's headquarters (HQ) will initiate the connection and a branch office will respond only.

Setup of the HQ

  1. If they do not already exist create the two external interfaces for the UTM with the 'Interfaces & Routing' | 'Interfaces' | 'Interfaces' tab | 'New interface' button.
  2. Go to 'Interfaces & Routing' | 'Interfaces' | 'Uplink balancing' tab and activate the 'Uplink status' option.
  3. Still on the 'Uplink balancing' tab put the two external interfaces in the 'Active Interfaces' box.


    Note: The order decides which should be the primary interface and which one should be used for fail over.

  4. Go to 'Site-to-site VPN' | 'IPsec' | 'Remote Gateway' tab and click the 'New Remote Gateway' button.  Fill in the configuration as detailed below.
    Gateway type: Initiate connection

    Gateway: Add a new Gateway or chose an existing. It should be the external address of the UTM on the other site.

    Authentication type: Here you can chose between four possibilities:
    • Preshared key
    • RSA key
    • Local X509 certificate
    • Remote X509 certificate
    Which one you chose is your decision.

    Remote Networks: Add one or more new Network or chose an existing. These Network is the one you want to allow remote the other side. (For example the 192.168.0.1 internal network).

  5. Go to 'Site-to-site VPN' | 'IPsec' | 'Connections' tab and click the 'New IPsec connection' button.  Fill in the configuration as detailed below.
    Remote Gateway: Chose the one you've just created

    Local Interface: If you've activated the uplink balancing chose the 'Uplink Interfaces'.

    Policy: You can chose which you want or which one is the right one for you company security guidelines.

    Local Networks: Chose the local networks on the UTM which should be accessible from the other side of the IPsec connection

    Automatic Firewall Rules: It's very helpful to tick this option, as all the necessary firewall rules will be created by the UTM.  However you can also create the rules manually.

    Bind Tunnel to Local Interface: Tick this option, when you want to have a failover function activated. If one of the two created interfaces is down or has an error the other will directly take over.

Your HQ side of the connection is now ready for IPsec. Continue with the steps below to configure the branch office

Setup of the branch office

  1. Go to 'Site-to-site VPN' | 'IPsec' | 'Remote Gateway' tab and click the 'New Remote Gateway' button.  Fill in the configuration as detailed below.
    Gateway type: Respond only

    Gateway: Add a new gateway or chose an existing. It should be the external address of the UTM on the other site.

    Authentication type: Use the same type that you have used at the initiating side.

    Remote Networks: Add one or more new Network or chose an existing. This network is the one you want to allow remote the other side. (For example the 192.168.0.1 internal network).

  2. Go to 'Site-to-site VPN' | 'IPsec' | 'Connections' tab and click the 'New IPsec connection' button. Fill in the configuration as detailed below.
    Remote Gateway: Chose the one you've just created

    Local Interface: Chose the normal external interface unless:
    1. You have already activated the uplink balancing and 
    2. Plan to make the N:N version of an IPsec multipath connection.
    If one and two are both true chose 'Uplink Interfaces'.

    Policy: You can chose which you want or which one is the right one for your company's security guidelines.

    Local Networks: Chose the local networks on the UTM which should be accessible from the other side of the IPsec connection

    Automatic Firewall Rules: It's very helpful to tick this option, as all the necessary firewall rules will be created by the UTM. However you can also create the rules manually.

    Bind Tunnel to Local Interface: Tick this option, when you want to have a failover function activated. If one of the two created interfaces is down or has an error the other will directly take over.

With the configuration explained above in place the IPsec connection will do a failover if one external interface is down or has an error. As you can see in the image below, the connection will switch to the other interface when the first is going down.

The following screenshots show the failover effect in the HQ WebAdmin. The first of the two screenshots shows that 'external1' interface is the one which initiated the IPsec tunnel. The second screenshot shows that after unplugging the Ethernet cable of interface 'external1', 'external2' interface has failed over and is now the active on of the IPsec tunnel.

N:N internet connection

  • 192.168.10.0/24:1.1.1.1 2.2.2.2:192.168.20.0/24 IPSE over SDSL
  • 192.168.10.0/24:3.3.3.3 4.4.4.4:192.168.20.0/24 IPSE over SDSLN:M internet

This scenario is similar to the first. Only the branch office also has two external interfaces. Failover is also possible but you have to create uplink interfaces on each side and tick the option 'Bind Tunnel to Local Interface'.

N:N internet

 

  • 192.168.10.0/24:1.1.1.1 2.2.2.2:192.168.20.0/24 IPSE over SDSL
  • 192.168.10.0/24:3.3.3.3 4.4.4.4:192.168.20.0/24 IPSE over DSL
  • 10.254.254.47 10.254.254.48 MPLS network > the MPLS is not an IPsec tunnel

Note: If the MPLS network does not have a network connection then the automatic monitoring will report that the interface is down and hence we would recommend de-selecting the automatic monitoring option in this scenario.

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments