How to configure Site-to-Site RED Tunnels

  • Article ID: 120157
  • Updated: 27 Feb 2014

This article explains how to setup & configure site-to-site RED tunnels (also known as UTM-UTM RED).

Known to apply to the following Sophos product(s) and version(s)


Sophos UTM

Basic Information

Site-to-Site RED tunnels have a number of advantages over using SSL or IPsec to connect two UTMs. Unlike IPsec, the tunnel as a virtual interface on each end (helps with troubleshooting), and unlike the SSL VPN, the interface is configurable. Administrators have direct control over the address range used on the RED tunnel network, and will have a much easier time resolving routing and IP address conflict issues.

Logically, RED tunnels are easier to understand than other VPN methods: they are essentially the same as connecting a long virtual Ethernet cable from a virtual interface on one UTM, and plugging it into a virtual interface on the other. Firewall rules and static routes are used to allow traffic to go back and forth, in the same way that other internal interfaces are configured.

As opposed to using a RED device such as a RED10 or RED50, this tunnel type is best suited for environments that:

  • Prefer or require subscription features such as web or email filtering to be done on the remote internet connection
  • Need only to access certain network resources at the server end of the tunnel
  • Have hosted services that should be publicly available via the local public IP of the client end of the connection
  • Require greater flexibility than a standard RED appliance can offer
  • Require greater than 30Mbps throughput over the RED tunnel

What To Do

To setup a UTM-to-UTM RED tunnel, first choose one UTM to be the server. The server role is not related to how traffic will flow through the tunnel, only on which side will await connection, and which end will initiate the connection. If one UTM is located behind NAT, it's a good idea to use it as the client and the other UTM as the server. The server will wait for connections from the client. 

Once a tunnel is setup, configuring traffic between two UTMs becomes purely a matter of routing and firewall rules.  Please see below for instructions on setting up the tunnel, configuring the interfaces, configuring the routes, and then configuring the firewall.

Where to configure: WebAdmin

Step 1: Configure the RED tunnel (client connection)

On the Server UTM:

  1. Login to the WebAdmin and go to RED Management | [Server] Client management
  2. Click on the button Add RED.
  3. Give it a branch name.
  4. For the client type, select UTM.
  5. Leave the Tunnel ID set to Automatic.
  6. Click Save.

This will generate a provisioning file for the remote UTM. Click the Download button, to save the .red provisioning file to disk.

On the Client UTM:

  1. Login to the WebAdmin and go to RED Management | [Client] Tunnel Management
  2. Click Add Tunnel.
  3. Enter a tunnel name.
  4. Choose a definition for the UTM host field. This should be the public IP of the server UTM, or a DNS host definition which resolves to its public IP.
  5. Upload the provisioning file generated on the server.
  6. Click Save.

At this point, the tunnel should connect automatically; this normally takes around 30 seconds. 

Step 2: Configure the virtual interfaces

Once you click save, each UTM will have a virtual red interface that you'll need to configure next. The server's interface will be named reds#, and the client redc#​, with # being the next available RED interface number.

On the Server UTM:

  1. Login to the WebAdmin and go to  Interfaces & Routing | Interfaces
  2. Click New interface...
  3. Enter an interface name.
  4. Under Type, choose Ethernet Static.
  5. Under Hardware, choose the new RED interface (such as reds1, reds2, etc)
  6. Choose an IP address for this interface. For example: 192.168.100.1
  7. ​Click Save.
  8. Enable the new interface.

On the Client UTM:

  1. Login to the WebAdmin and go to Interfaces & Routing | Interfaces
  2. Click New interface...
  3. Enter an interface name.
  4. Under Type, choose Ethernet Static.
  5. Under Hardware, choose the new RED interface (such as redc1, redc2, etc)
  6. Choose an IP address for this interface. For example: 192.168.100.2
  7. ​Click Save.
  8. Enable the new interface.

Step 3: Setup the static routes

The next step is to setup static routes on each UTM, telling them which networks are reachable via the UTM on the other end of the tunnel. This is known as split tunnelling (full tunnelling over a Site-to-Site RED is technically possible, but is not covered in this article).

On each UTM:

  1. Login to the WebAdmin and go to Interfaces & Routing > Static Routing > Standard Static Routes
  2. Click New static route...
  3. ​Under Route Type, choose Gateway Route​.
  4. Under Network, add an object for a network you want to route over the tunnel. If you do not have an existing object created for it, click the green + icon to create a new object.
  5. Under Gateway​, add a host object for the IP address of the RED interface on the remote end of the tunnel. For example, if you're creating the route on the client, use a host object for the server's RED interface address. 
  6. Click Save.
  7. Enable the new route.

In the example in step 2, the server's RED interface address was 192.168.100.1, and the client's was 192.168.100.2. If the server UTM had a connected network of range 192.168.5.0/24, and the client UTM has the network 192.168.10.0/24, to allow clients on each respective network to communicate, you would configure the routes as follows:

On the Server UTM:

  • Route type: Gateway route
  • Network: 192.168.10.0/24
  • Gateway: 192.168.100.2

On the Client UTM:

  • Route type: Gateway route
  • ​Network: 192.168.5.0/24
  • Gateway: 192.168.100.1

Step 4: Create Firewall Rules

The final step is to create firewall rules allowing traffic to flow between configured networks. Unfortunately, this cannot be done automatically, and must be configured using firewall rules. The configuration of these rules is the same as allowing traffic to flow between any two networks:

On each UTM:

  1. Login to the WebAdmin and go to Network Protection | Firewall | Rules
  2. Click New Rule...
  3. Under Sources, add an object for each of the local networks located on each side of the tunnel.
  4. Under Services, add the services you want to allow between networks, or Any for all services.
  5. Under Destinations, add the same objects you specified in the Sources box.
  6. Under Action, select Allow.
  7. Click Save.

Related Articles

KB 116573 - Sophos RED (Remote Ethernet Device) Technical Training Guide
KB 120263 - How to create Site-to-Site RED full tunnels

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments