Creating a site-to-site RED tunnel

Set up a site-to-site RED tunnel between two Sophos XG Firewall devices without deploying a RED device. In this type of configuration, one device acts as the server and the other as the client.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Add a RED interface on the server.
  • Create a client firewall configuration.
  • Create static routing so that internal networks have a route across the RED tunnel.
  • Add firewall rules for tunnel traffic.

Add a RED interface on the server

The server listens for incoming connections, and the client device initiates the outgoing connection. Any upstream NAT may interfere with incoming connections, so it is preferable to select a non-NAT device to act as the server.

  1. On the server device, go to System services > RED and turn on the RED provisioning service.
  2. Go to Network > Interfaces, click Add interface, and select Add RED.
  3. Specify settings.
    OptionDescription
    Branch name Server
    Type Firewall RED server
    Tunnel ID Automatic
    RED IP 192.0.2.25
    Zone LAN
  4. Click Save.

    A provisioning file is generated for the server firewall.

  5. In the list of interfaces, locate the RED interface, click the hamburger button and download the provisioning file.
  6. Copy the file to a network location or removable drive that you can access from the client firewall.

Add a RED interface on the client

  1. Go to System services > RED and turn on the RED provisioning service.
  2. Go to Network > Interfaces, click Add interface, and select Add RED.
  3. Specify settings.
    OptionDescription
    Branch name Client
    Type Firewall RED client
    Firewall IP/hostname 192.0.2.25
    RED IP 198.51.100.100
    Zone LAN
  4. Click Choose file and select the provisioning file that you downloaded for the server.
  5. Click Save.

Add static routes

You need to configure static routing on both firewalls so that internal networks have a route across the RED tunnel.

  1. On the server firewall, go to Routing > Static routing.
  2. Click Add to create an IPv4 unicast route.
  3. Specify settings.
    OptionDescription
    Destination IP 192.168.100.0
    Gateway 172.173.0.1
    Interface reds1-192.0.2.25
  4. Go to the client firewall and specify the same routing.

Add firewall rules

For traffic to pass between the two firewalls, you must create a LAN-to-LAN or similar rule on each firewall.

The following steps are executed on the server firewall and the client firewall.

  1. Go to Firewall and click + Add firewall rule > User/Network rule.
  2. Specify settings.
    OptionDescription
    Rule name LAN to LAN
    Source zones LAN
    Destination zones LAN