Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=site-to-site-VPN-route-based-VPN-failover

Configure a route-based VPN failover with two ISP connections

You can configure failover between route-based VPNs created over two different Internet Service Providers (ISPs). For example, you can create route-based VPN tunnels between your head office (HO) and branch office (BO) firewalls for ISP1 and ISP2. If ISP1 goes down, the traffic fails over to ISP2. When ISP1 recovers, the traffic fails back to ISP1.

Key steps

The key steps are as follows:

  1. Configure the HO firewall as follows:

    1. Configure the route-based VPN connections.
    2. Assign IP addresses to XFRM interfaces.
    3. Add gateway hosts.
    4. Add static routes.
    5. Set the route precedence.

  2. Configure the BO firewall as follows:

    1. Configure the route-based VPN connections.
    2. Assign IP addresses to XFRM interfaces.
    3. Add gateway hosts.
    4. Add static routes.
    5. Set the route precedence.

All configuration details are examples based on the network in the following diagram:

Route-Based VPN with ISPs network diagram.

Head office firewall

Configure the route-based VPN connections

To configure the route-based VPN connections, do as follows on your HO firewall:

  1. Create a route-based VPN tunnel between your HO and BO firewalls for ISP1.

  2. Create a route-based VPN tunnel between your HO and BO firewalls for ISP2.

For instructions on how to create a route-based VPN tunnel, see Create a route-based VPN (any to any subnets).

To see your configured VPN connections, go to Site-to-site VPN > IPsec.

Two ISP VPNs in HO.

Assign IP addresses to XFRM interfaces

You must assign an IP address to each XFRM interface, as follows:

  1. Go to Network > Interfaces and expand the WAN interface used to create the IPsec connection.

    XFRM interfaces are automatically created for the tunnels. For example, you can see that the xfrm1 and xfrm2 interfaces are created under the WAN interface.

    XFRM interfaces for the VPN tunnels.

  2. Assign an IP address to each XFRM interface.

    Note

    The settings we use below are examples.

    1. Click the xfrm1 interface.
    2. For IPv4/netmask, enter 10.10.10.1 and /24(255.255.255.0).
    3. Click the xfrm2 interface.
    4. For IPv4/netmask, enter 20.20.20.1 and /24(255.255.255.0).

Add gateway hosts

Add a gateway host for each XFRM interface.

  1. Add a gateway host for the xfrm1 interface as follows:

    1. Go to Routing > Gateways and click Add.
    2. In Interface, select the xfrm1 interface.
    3. Specify the remaining gateway settings according to your network configuration.

  2. Add a gateway host for the xfrm2 interface as follows:

    1. Go to Routing > Gateways and click Add.
    2. In Interface, select the xfrm2 interface.
    3. Specify the remaining gateway settings according to your network configuration.

Add static routes

Add two static routes with the same destination but different outbound XFRM interfaces and administrative distances. The lower the route's administrative distance, the higher its priority. So, set the administrative distance of the second route higher than the first one. This ensures the traffic continues to flow through ISP1 and fails over to ISP2 only if ISP1 goes down. When ISP1 recovers, the traffic fails back to ISP1.

To add the static routes, do as follows:

Note

The settings we use below are examples.

  1. Add the first static route as follows:

    1. Go to Routing > Static routes and click Add.
    2. In Destination IP / Netmask, enter 192.168.10.0 and /24 (255.255.255.0).
    3. In Gateway, enter 10.10.10.2.
    4. In Interface, select the xfrm1.
    5. In Administrative distance, enter 1.

  2. Add the second static route as follows:

    1. Go to Routing > Static routes and click Add.
    2. In Destination IP / Netmask, enter 192.168.10.0 and /24 (255.255.255.0).
    3. In Gateway, enter 20.20.20.2.
    4. In Interface, select the xfrm2.
    5. In Administrative distance, enter 2.

Set the route precedence

You must set the route precedence with the static route first. This ensures that the static route is prioritized over both the VPN and SD-WAN routes.

On the command-line interface, do as follows:

  1. Enter 4 for Device console.

  2. To set the route precedence with static first, enter the following command:

    system route_precedence set static vpn sdwan_policyroute

  3. To check the route precedence, enter the following command:

    system route_precedence show

Branch office firewall

Configure the route-based VPN connections

To configure the route-based VPN connections, do as follows on your BO firewall:

  1. Create a route-based VPN tunnel between your HO and BO firewalls for ISP1.

  2. Create a route-based VPN tunnel between your HO and BO firewalls for ISP2.

For instructions on how to create a route-based VPN tunnel, see Create a route-based VPN (any to any subnets).

To see your configured VPN connections, go to Site-to-site VPN > IPsec.

Two ISP VPNs in BO.

Assign IP addresses to XFRM interfaces

You must assign an IP address to each XFRM interface, as follows:

  1. Go to Network > Interfaces and expand the WAN interface used to create the IPsec connection.

    XFRM interfaces are automatically created for the tunnels. For example, you can see that the xfrm1 and xfrm2 interfaces are created under the WAN interface.

    XFRM interfaces for the VPN tunnels.

  2. Assign an IP address to each XFRM interface.

    Note

    The settings we use below are examples.

    1. Click the xfrm1 interface.
    2. For IPv4/netmask, enter 10.10.10.2 and /24(255.255.255.0).
    3. Click the xfrm2 interface.
    4. For IPv4/netmask, enter 20.20.20.2 and /24(255.255.255.0).

Add gateway hosts

Add a gateway host for each XFRM interface.

  1. Add a gateway host for the xfrm1 interface as follows:

    1. Go to Routing > Gateways and click Add.
    2. In Interface, select the xfrm1 interface.
    3. Specify the remaining gateway settings according to your network configuration.

  2. Add a gateway host for the xfrm2 interface as follows:

    1. Go to Routing > Gateways and click Add.
    2. In Interface, select the xfrm2 interface.
    3. Specify the remaining gateway settings according to your network configuration.

Add static routes

Add two static routes with the same destination but a different outbound XFRM interface and administrative distance. The lower the route's administrative distance, the higher its priority. So, set the administrative distance of the second route higher than the first one. This ensures the traffic continues to flow through ISP1 and fails over to ISP2 only if ISP1 goes down. When ISP1 recovers, the traffic fails back to ISP1.

To add the static routes, do as follows:

Note

The settings we use below are examples.

  1. Add the first static route as follows:

    1. Go to Routing > Static routes and click Add.
    2. In Destination IP / Netmask, enter 172.16.16.0 and /24 (255.255.255.0).
    3. In Gateway, enter 10.10.10.1.
    4. In Interface, select the xfrm1.
    5. In Administrative distance, enter 1.

  2. Add the second static route as follows:

    1. Go to Routing > Static routes and click Add.
    2. In Destination IP / Netmask, enter 172.16.16.0 and /24 (255.255.255.0).
    3. In Gateway, enter 20.20.20.1.
    4. In Interface, select the xfrm2.
    5. In Administrative distance, enter 2.

Set the route precedence

You must set the route precedence with the static route first. This ensures that the static route is prioritized over both the VPN and SD-WAN routes.

On the command-line interface, do as follows:

  1. Enter 4 for Device console.

  2. To set the route precedence with static first, enter the following command:

    system route_precedence set static vpn sdwan_policyroute

  3. To check the route precedence, enter the following command:

    system route_precedence show