Sophos XG Firewall: How to configure Site-to-Site RED Tunnels

Overview

  • This article explains how to set up a Site-to-Site (S2S) RED tunnel between two Sophos XG Firewalls, without the need of a separate RED device.

Diagram.

Firewall Server Configuration.

  • Go to System Services -> RED and toggle RED Status to the ON position.
  • Fill out the below options and click Apply to enable the RED feature.
    • Organization Name
    • City
    • Country
    • Email
  • Navigate to Network and click Add Interface.
  • Select Add RED from drop-down list.
  • Enter the RED setting details for Firewall Server.

    • Branch Name: Enter the name of the remote location in which the RED is to be set up.
    • Type: Firewall RED Server.
    • Tunnel ID: Automatic.
    • RED IP: The IP address for the server side of the RED tunnel (192.168.1.1).
    • RED Netmask: The subnet mask for the entire network used by the RED tunnel. The network must have at least two addresses available in the space.
    • Zone: LAN
    • Tunnel Compression: On compresses the traffic to be smaller but may use more system resources.
  • A provisioning file is generated for the remote XG Client Firewall. Click the Edit and then  Download button, to save the .red provisioning file to disk.

Client Firewall configuration

  • Repeat steps 1 through 5 as shown above and fill out the details shown below when adding the RED interface.

  • Branch Name: Enter the name of the remote location in which the RED is to be set up.
  • Type: Firewall RED Client.
  • Firewall IP/Hostname: The public IP of the RED Server Firewall (172.16.31.230).
  • Provisioning File: Click here to upload the provisioning file that you downloaded when configuring the RED Server.
  • RED IP: The IP address for the client side of the RED tunnel (192.168.1.2).
  • RED Netmask: The subnet mask for the entire network used by the RED tunnel, it will need to have at least two addresses available in the space.
  • Zone: LAN

Static Routes

  • On the Site-to-Site RED tunnels, static route need to be manually configured.
  • Navigate to Routing -> Static Routing.
  • Click on Add to create an IPv4 Unicast Route.
  • Create static routes on both XG Firewall’s so that internal networks have a route across the RED tunnel.
  • On this screen fill in the following information:
  • Server

  • Client.

Result.

  • We will tracert from client of 172.16.17.0/24 to client of 172.16.16.0/24.

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*