This article describes how to change an existing site-to-site IPSec tunnel to a 'full' tunnel in which all traffic is sent from a remote site through the central UTM.
This configuration will allow central monitoring of all traffic from the remote site at the central office UTM.
Known to apply to the following Sophos product(s) and version(s)
What To Do
Remote office settings:
On the UTM at the remote site:
- Navigate to Site-to-site VPN | IPsec | Remote Gateways.
- On the defined remote gateway for the central office, click 'Edit'.
- Change the 'Remote Networks' box to only contain the network 'Any'.
- Click 'Save'.
Central office settings:
On the UTM at the central office:
- Navigate to Site-to-site VPN | IPsec | Connections.
- On the defined local connection for the remote site, click 'Edit'.
- Set 'Local Networks' to only contain 'Any'.
- Click 'Save'.
Additional configuration notes:
- All traffic from the remote office will now be sent to the central office UTM. As such, any configured NAT rules, Firewall rules, Web Protection settings, or other services such as DNS, DHCP, IPS, etc. may need to be modified to include a definition for the remote network to be allowed out to the Internet or to access local resources.
- In order to access the internet, a Masquerading rule will also need to be configured for the remote network.
- For small branch offices using this centralized configuration, Sophos also offers the RED appliance as a cost effective solution for centralized remote network management.