Jump to:navigation, search
Wiki

SSL-VPN Site-to-Site Fallback

From Securepoint Wiki












































De.png
En.png
Fr.png






Configuration of fallback for the site-to-site tunnel
Last adaptation to the version: 12.2.5.1
New:
  • Layout adjustments
notempty
This article refers to a Resellerpreview

11.7 11.6.12

Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 → VPN →SSL-VPN


Introduction

Scenario

This wiki article describes how to set up a fallback for an SSL-VPN Site-to-Site tunnel. It is assumed that an existing SSL-VPN Site-to-Site server is in place.


The setup is as follows:
There is an internet connection at the remote location and on the firewall at the main location, a multipath routing is configured over two internet lines. The tunnel is now configured so that the remote location initiates a Site-to-Site tunnel with the central location over one of the two lines.



Configuration of the head office

Example configuration of the site-to-site server

In the head office, multipath routing must be configured, so there are two interfaces each with a public IP and two default routes. If not already done, the OpenVPN server configuration can be done as described in the article SSL-VPN Site-to-Site.

When setting up, make sure to pay attention to the fact that the "Multihome" option is enabled under "Advanced"!



Configuration of the branch office

IP addresses separated by a comma

The Site-to-Site client is set up as usual, with one exception:
In step 5 in the Host(s): field, both IP addresses of the main offices must now be entered, separated by a comma.

198.51.100.2,203.0.113.2



IP addresses with colon and port specification

If the SSL-VPN server in the central location does not receive connections on port 1194, the port must be entered directly after the IP, separated by a colon.

198.51.100.2:1195,203.0.113.2:1195



Procedure in case of failure

  1. Site-to-Site Tunnel has been established (Branch office <-> Head office - Line 1).
  2. Line 1 in the head office loses the connection.
  3. The branch office tries to establish a tunnel through Line 1 of the head office for two minutes.
  4. The head office does not respond on Line 1 for two minutes.
  5. The branch office switches and now tries to initiate the tunnel through Line 2 of the head office.
  6. The tunnel is now established through Line 2 of the head office.



When will the tunnel be switched back to line 1?

The tunnel is not re-initiated on Line 1 without further action. This only happens when Line 2 of the head office loses the connection or the SSL VPN service at the branch office is restarted.


Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/VPN/SSL_VPN-S2S-Fallback&oldid=84974"