How to configure IPsec Site-to-Site VPN with multipath uplink on a Sophos UTM

  • Article ID: 118975
  • Rating:
  • 14 customers rated this article 2.6 out of 6
  • Updated: 04 May 2016

This article will show different methods to configure multipath uplinks for IPsec on a Sophos UTM.

This article focuses on one common scenario. Since the shown setups are general examples make sure to modify the settings to suit the present network environment

In the end we will discuss a second common scenario, which is not described in full detail.

Known to apply to the following Sophos product(s) and version(s)
Sophos UTM

Operating systems
UTM 9.1 or higher

What To Do

N:M connection with overlapping subnets

  • 192.168.10.0/24:1.1.1.1 2.2.2.2:192.168.20.0/24 IPSE over DSL/SDSL 
  • 192.168.10.0/24:1.1.1.1 4.4.4.4:192.168.20.0/23 IPSE over DSL/DSL

It is common that the office which is the company's headquarters (HQ) will initiate the connection and a branch office will respond only.

Setup of the HQ

  1. If they do not already exist create the two external interfaces for the UTM with the 'Interfaces & Routing' | 'Interfaces' | 'Interfaces' tab | 'New interface' button.
  2. Go to 'Interfaces & Routing' | 'Interfaces' | 'Uplink balancing' tab and activate the 'Uplink status' option.
  3. Still on the 'Uplink balancing' tab put the two external interfaces in the 'Active Interfaces' box.

    Note: The order decides which should be the primary interface and which one should be used for load balancing. The weight of each interface can be configured clicking this symbol .
  4. Go to 'Site-to-site VPN' | 'IPsec' | 'Remote Gateway' tab and click the 'New Remote Gateway' button.  Fill in the configuration as detailed below.

Gateway type:Initiate connection

Gateway:Add a new Gateway or chose an existing. It should be the external address of the UTM on the other site.

Authentication type:Here you can chose between four possibilities:

o Preshared key

o RSA key

o Local X509 certificate

o Remote X509 certificate

Which one you chose is your decision.

Remote Networks:Add one or more new Network or chose an existing. These Network is the one you want to allow remote the other side. (For example the 192.168.0.1 internal network).

 

  1. Go to 'Site-to-site VPN' | 'IPsec' | 'Connections' tab and click the 'New IPsec connection' button.  Fill in the configuration as detailed below.

Remote Gateway:Chose the one you've just created

Local Interface:If you've activated the uplink balancing chose the 'Uplink Interfaces'.

Policy:You can chose which you want or which one is the right one for you company security guidelines.

Local Networks:Chose the local networks on the UTM which should be accessible from the other side of the IPsec connection

Automatic Firewall Rules:It's very helpful to tick this option, as all the necessary firewall rules will be created by the UTM.However you can also create the rules manually.

 

  1. Got to ‘Interfaces & Routing’ | ‘Multipath Rules’ Create a Multipath Rules as detailed below

Name:Enter a Name for the Rule

Position:Select ‘Top’.

Source:Add the Branch Offices Network.

Services:Add ‘Any’

Destination:
Add ‘Internal (Network)’

Itf. Persistence:Leave on Default ‘By Connection’

Note: The Multipath Rule will bind every VPN connection to the interface it was coming from, without this setting the traffic would be load balanced and the tunnel couldn’t be established.

Your HQ side of the connection is now ready for IPsec. Continue with the steps below to configure the branch office

Setup of the branch office

  1. Go to 'Site-to-site VPN' | 'IPsec' | 'Remote Gateway' tab and click the 'New Remote Gateway' button.  Fill in the configuration as detailed below.

Gateway type:Respond only

Gateway:Add a new gateway or chose an existing. It should be the external address of the UTM on the other site.

Authentication type:Use the same type that you have used at the initiating side.

Remote Networks:Add one or more new Network or chose an existing. This network is the one you want to allow remote the other side. (For example the 192.168.0.1 internal network).

 

  1. Go to 'Site-to-site VPN' | 'IPsec' | 'Connections' tab and click the 'New IPsec connection' button. Fill in the configuration as detailed below.

Remote Gateway:Chose the one you've just created

Local Interface:Chose the normal external interface unless:

1. You have already activated the uplink balancing and

2. Plan to make the N:N version of an IPsec multipath connection.

If one and two are both true chose 'Uplink Interfaces'.

Policy:You can chose which you want or which one is the right one for your company's security guidelines.

Local Networks:Chose the local networks on the UTM which should be accessible from the other side of the IPsec connection

Automatic Firewall Rules:It's very helpful to tick this option, as all the necessary firewall rules will be created by the UTM. However you can also create the rules manually.

With the configuration explained above in place the IPsec connection will do a failover if one external interface is down or has an error. As you can see in the image below, the connection will switch to the other interface when the first is going down.

The following screenshots show the failover effect in the HQ WebAdmin. The first of the two screenshots shows that 'external1' interface is the one which initiated the IPsec tunnel. The second screenshot shows that after unplugging the Ethernet cable of interface 'external1', 'external2' interface has failed over and is now the active on of the IPsec tunnel.

N:N internet connection

  • 192.168.10.0/24:1.1.1.1 2.2.2.2:192.168.20.0/24 IPSE over SDSL
  • 192.168.10.0/24:3.3.3.3 4.4.4.4:192.168.20.0/24 IPSE over SDSLN:M internet

This scenario is similar to the first. Only the branch office also has two external interfaces. Failover is also possible but you have to create uplink interfaces on each side and tick the option 'Bind Tunnel to Local Interface'.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments