Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=content_otn_smj_4bb

Create a site-to-site RED tunnel

Set up a site-to-site RED tunnel between two Sophos Firewall devices without deploying a RED device. In this type of configuration, one device acts as the server and the other as the client.

Objectives

When you complete this unit, you'll know how to do the following:

  • Add a RED interface on the server.
  • Create a client firewall configuration.
  • Create static routing so that internal networks have a route across the RED tunnel.
  • Add firewall rules for tunnel traffic.

Add a RED interface on the server

The server listens for incoming connections, and the client device initiates the outgoing connection. Any upstream NAT may interfere with incoming connections. So, we recommend you select a non-NAT device to act as the server.

  1. On the server device, go to System services > RED and turn on the RED provisioning service.
  2. Go to Network > Interfaces, click Add interface, and select Add.

  3. Specify the settings.

    Option Description
    Branch name Server
    Type Firewall RED server
    Tunnel ID Automatic
    RED IP 192.0.2.25
    Zone LAN

  4. Click Save.

    A provisioning file is generated for the server firewall.

  5. In the list of interfaces, locate the RED interface, click Menu Menu button and download the provisioning file.

    Download RED provisioning file

  6. Copy the file to a network location or removable drive that you can access from the client firewall.

Add a RED interface on the client

  1. Go to System services > RED and turn on the RED provisioning service.
  2. Go to Network > Interfaces, click Add interface, and select Add.

  3. Specify the settings.

    Option Description
    Branch name Client
    Type Firewall RED client
    Firewall IP/hostname 192.0.2.25
    RED IP 198.51.100.100
    Zone LAN

  4. Click Choose file and select the provisioning file that you downloaded for the server.

  5. Click Save.

Add static routes

You need to configure static routing on both firewalls so that internal networks have a route across the RED tunnel.

  1. On the server firewall, go to Routing > Static routing.
  2. Click Add to create an IPv4 unicast route.

  3. Specify the settings.

    Option Description Example
    Destination IP / Netmask Specify the destination IP address and netmask of the remote network. 192.168.20.0/24
    Gateway Specify the IP address of the remote firewall. 192.168.100.2
    Interface Don't select an interface.

  4. Go to the client firewall and specify the same routing.

Add firewall rule

For traffic to pass between the two firewalls, you must create a LAN-to-LAN or similar rule on each firewall.

Do as follows on the server and client firewall devices.

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4 or IPv6 and click Add firewall rule.

  3. Specify the settings.

    Option Description
    Rule name LAN to LAN
    Source zones LAN
    Destination zones LAN