Sophos XG: How to configure GRE Tunnel to connect two sites on firmware version 18


GRE is the first protocol developed by Cisco, which will encapsulate some types of packets inside IP Tunneles to form connection points. A Tunnel is used when sending packets from one network to another or through an unsecured network

This article will guide you to set up GRE Tunnel between two sites of a company

How to configure

The article will be configured according to the following diagram

Step 1: Open the console of Sophos XG Firewall

Connect to console configuration interface of the firewall device

  • You can use console ports and putty software to access or log into the Sophos XG device to open the console interface
  • Here, I will log into the XG device and open the console interface
  • Login to XG with Admin account
  • In the right corner of the interface, admin section, click on the drop down menu -> Choose Console
  • Log in with Admin account
  • Enter number to enter the console mode

Step 2: Creating a GRE Tunnel connection

  • Tunneling command: console > system gre tunnel add name gre1 local-gw Port2 remote-gw local-ip remote-ip
  • Local-gw: Select the WAN port of the XG device
  • Remote-gw: Enter the WAN IP of the other site
  • Local-ip: Set IP for Tunnel as desired
  • Remote-ip: Set IP for Tunnel as desired

Step 3: Creating routing to connect between 2 sites

  • The routing command: console > system gre route add net tunnelname gre1
  • With Network is the network layer you want to route to
  • Tunnel name: Select the correct GRE Tunnel name you created

-> Press Enter

** You can check GRE Tunnel configuration information with the command:

console > system gre tunnel show

console > system gre route show

Step 4: Creating a firewall rule to allow connection via GRE VPN

  • Firewall -> Click Add Firewall rule -> User/network rule
  • Here we will create two allowable rules: VPN – LAN and LAN – VPN
  • In the first rule: Allow connection form VPN to LAN
  • In Source zones: Choose VPN
  • In Source networks and devices: Select Any
  • Destination zones: Select LAN
  • Destination networks: Select Any or the LAN layer you want

-> Click Save

  • In the second rule: Allow connecting form the LAN to the other ite using VPN
  • In Source zones: Select LAN
  • In Source networks and devices: Select Any or the LAN layer you want
  • Destination zones: Choose VPN
  • Destination networks: Select Any

-> Click Save

-> Finish, test ping between the two sites and perform tracert to check the path of the packet

Be the first to comment

Leave a Reply

Your email address will not be published.