Creating a site-to-site RED tunnel
Set up a site-to-site RED tunnel between two Sophos XG Firewall devices without deploying a RED device. In this type of configuration, one device acts as the server and the other as the client.
Objectives
When you complete this unit, you’ll know how to do the following:- Add a RED interface on the server.
- Create a client firewall configuration.
- Create static routing so that internal networks have a route across the RED tunnel.
- Add firewall rules for tunnel traffic.
Add a RED interface on the server
The server listens for incoming connections, and the client device initiates the outgoing connection. Any upstream NAT may interfere with incoming connections, so it is preferable to select a non-NAT device to act as the server.
-
In the list of interfaces, locate the RED interface, click the
hamburger button
and download the
provisioning file.
Add a RED interface on the client
- Go to and turn on the RED provisioning service.
- Go to , click Add interface, and select Add RED.
-
Specify the settings.
Option Description Branch name Client Type Firewall RED client Firewall IP/hostname 192.0.2.25 RED IP 198.51.100.100 Zone LAN - Click Choose file and select the provisioning file that you downloaded for the server.
- Click Save.
Add static routes
You need to configure static routing on both firewalls so that internal networks have a route across the RED tunnel.
- On the server firewall, go to .
- Click Add to create an IPv4 unicast route.
-
Specify the settings.
Option Description Destination IP 192.168.100.0 Gateway 172.173.0.1 Interface reds1-192.0.2.25 - Go to the client firewall and specify the same routing.
Add firewall rules
For traffic to pass between the two firewalls, you must create a LAN-to-LAN or similar rule on each firewall.
The following steps are executed on the server firewall and the client firewall.
-
Go to Firewall and
click .
