Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-route-based-VPN-failover

Configure a route-based VPN failover with two ISP connections

You can configure failover between route-based VPNs created over two different Internet Service Providers (ISPs). For example, ISP1 and ISP2. If ISP1 goes down, the connection fails over to ISP2.

Here's an example:

Route-Based VPN with ISPs network diagram.

To configure a route-based VPN failover with two ISP connections, you must do as follows:

  1. Configure the route-based VPN connections.
  2. Configure the XFRM interfaces and gateway hosts.
  3. Configure an SD-WAN route.
  4. Set the route precedence.

Configure the route-based VPN connections

To configure the route-based VPN connections, do as follows:

  1. On your head office (HO) firewall, create a route-based VPN tunnel between your HO and branch office (BO) firewalls for ISP1. See Create a route-based VPN (any to any subnets).

  2. On your HO firewall, create a route-based VPN tunnel between your HO and branch office (BO) firewalls for ISP2. See Create a route-based VPN (any to any subnets).

    To review your VPNs, go to Site-to-site VPN > IPsec.

    Two ISP VPNs.

Configure the XFRM interfaces and gateway hosts

You must assign an IP address to each XFRM interface and create a gateway host for each.

  1. Go to Network > Interfaces and expand the WAN interface used to create the IPsec connection. You see the XFRM interfaces automatically created for the tunnels. For example, you see xfrm1 and xfrm2 for HO and xfrm1 for BO.

    Here's an example:

    XFRM interfaces for the VPN tunnels.

  2. Assign an IP address to each XFRM interface as follows:

    1. Click the XFRM interface.

    2. For IPv4/netmask, enter an IP address for the interface.

      Here's an example:

      XFRM interfaces for the VPN tunnels.

  3. Go to Routing > Gateways and create gateway hosts for each XFRM interface. See Add a gateway.

    When you're creating a gateway host, for Interface, select the corresponding XFRM interface.

    Here's an example:

    Select interfaces for the gateway hosts.

Configure an SD-WAN route

Do as follows:

  1. Go to Routing > SD-WAN routes and create an SD-WAN route. See Add an SD-WAN route.

    When you're creating an SD-WAN route, do as follows:

    1. Under Link selection settings, select Primary and Backup gateways.
    2. For Primary gateway, select the gateway host you created for ISP1.
    3. For Backup gateway, select the gateway host you created for ISP2.

Set the route precedence

You must set the route precedence with sdwan_policyroute as the first.

On the command-line interface, do as follows:

  1. Enter 4 for Device console.

  2. To set the route precedence with sdwan_policyroute as the first, enter the following command:

    system route_precedence set sdwan_policyroute static vpn

  3. To check the route precedence, enter the following command:

    system route_precedence show