Create a site-to-site RED tunnel
Set up a site-to-site RED tunnel between two Sophos Firewall devices without deploying a RED device. In this type of configuration, one device acts as the server and the other as the client.
Objectives
When you complete this unit, you'll know how to do the following:
- Add a RED interface on the server.
- Create a client firewall configuration.
- Create static routing so that internal networks have a route across the RED tunnel.
- Add firewall rules for tunnel traffic.
Add a RED interface on the server
The server listens for incoming connections, and the client device initiates the outgoing connection. Any upstream NAT may interfere with incoming connections. So, we recommend you select a non-NAT device to act as the server.
- On the server device, go to System services > RED and turn on the RED provisioning service.
- Go to Network > Interfaces, click Add interface, and select Add.
-
Specify the settings.
Option Description Branch name Server Type Firewall RED server Tunnel ID Automatic RED IP 192.0.2.25 Zone LAN -
Click Save.
A provisioning file is generated for the server firewall.
-
In the list of interfaces, locate the RED interface, click Menu and download the provisioning file.
-
Copy the file to a network location or removable drive that you can access from the client firewall.
Add a RED interface on the client
- Go to System services > RED and turn on the RED provisioning service.
- Go to Network > Interfaces, click Add interface, and select Add.
-
Specify the settings.
Option Description Branch name Client Type Firewall RED client Firewall IP/hostname 192.0.2.25 RED IP 198.51.100.100 Zone LAN -
Click Choose file and select the provisioning file that you downloaded for the server.
- Click Save.
Add static routes
You need to configure static routing on both firewalls so that internal networks have a route across the RED tunnel.
- On the server firewall, go to Routing > Static routing.
- Click Add to create an IPv4 unicast route.
-
Specify the settings.
Option Description Example Destination IP / Netmask Specify the destination IP address and netmask of the remote network. 192.168.20.0/24 Gateway Specify the IP address of the remote firewall. 192.168.100.2 Interface Don't select an interface. -
Go to the client firewall and specify the same routing.
Add firewall rule
For traffic to pass between the two firewalls, you must create a LAN-to-LAN or similar rule on each firewall.
Do as follows on the server and client firewall devices.
- Go to Rules and policies > Firewall rules.
- Select IPv4 or IPv6 and click Add firewall rule.
-
Specify the settings.
Option Description Rule name LAN to LAN Source zones LAN Destination zones LAN