Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Create a site-to-site RED tunnel

Set up a site-to-site RED tunnel between two Sophos Firewall devices without deploying a RED device. In this configuration, one firewall acts as the server and the other as the client.

Objectives

You'll learn to do the following:

  • Add a RED interface on the Firewall RED Server and Firewall RED Client.
  • Add a static route on both firewalls so that internal networks have a route across the RED tunnel.
  • Add a firewall rule on both firewalls for tunnel traffic.

Network diagram

Site-to-site RED tunnel network diagram.

Add a RED interface on the Firewall RED Server

The Firewall RED Server listens for incoming connections, and the Firewall RED Client initiates the outgoing connection. Translating the Firewall RED Server's address may interfere with incoming connections. We recommend that you don't use NAT for the Firewall RED Server.

  1. On the Firewall RED Server, go to System services > RED and turn on the RED provisioning service.
  2. Go to Network > Interfaces, click Add interface, and click Add RED.
  3. Configure as follows:

    Setting Description Value
    Branch name RED interface name REDserver
    Type RED interface type Firewall RED server
    Tunnel ID Tunnel ID setting Automatic
    RED IP Firewall RED Server's RED IP address. 192.100.100.1
    Zone RED interface zone LAN
  4. Click Save.

    The firewall generates a provisioning file.

  5. On the RED interface, click Menu Menu button. and download the provisioning file.

    Download RED provisioning file.

  6. Copy the file to a network location or removable drive that you can access from the Firewall RED Client.

Add a RED interface on the Firewall RED Client

  1. Go to System services > RED and turn on the RED provisioning service.
  2. Go to Network > Interfaces, click Add interface, and click Add RED.
  3. Configure as follows:

    Setting Description Value
    Branch name RED interface name REDclient
    Type RED interface type Firewall RED client
    Firewall IP/hostname Firewall RED Server's WAN IP address. 172.10.10.1
    Provisioning file The provisioning file you downloaded from the Firewall RED Server. Click Browse and select the provisioning file you downloaded from the Firewall RED Server.
    RED IP Firewall RED Client's RED IP address. 192.100.100.2
    Zone RED interface zone LAN
  4. Click Save.

Add static routes

You must configure static routes on both firewalls so that internal networks have a route across the RED tunnel.

  1. On the Firewall RED Server, go to Routing > Static routes.
  2. Under IPv4 unicast route, click Add.
  3. Configure as follows:

    Setting Description Value
    Destination IP / Netmask Firewall RED Client's LAN network and netmask. 192.20.20.0 and /24 (255.255.255.0)
    Gateway Firewall RED Client's RED IP address. 192.100.100.2

    Note

    ARP requests are sent to identify the interface over which the destination IP address behind the peer RED is reachable. To make sure these requests reach the destination, don't select an interface.

  4. Click Save.

  5. On the Firewall RED Client, go to Routing > Static routes.
  6. Under IPv4 unicast route, click Add.
  7. Configure as follows:

    Setting Description Value
    Destination IP / Netmask Firewall RED Server's LAN network and netmask. 192.10.10.0 and /24 (255.255.255.0)
    Gateway Firewall RED Server's RED IP address. 192.100.100.1

    Note

    ARP requests are sent to identify the interface over which the destination IP address behind the peer RED is reachable. To make sure these requests reach the destination, don't select an interface.

  8. Click Save.

Add firewall rule

For traffic to pass between the two firewalls, you must create a LAN-to-LAN or a similar rule on each firewall.

Do as follows on the Firewall RED Server and Firewall RED Client:

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4, click Add firewall rule, and click New firewall rule.
  3. Configure as follows:

    Setting Value
    Rule name LAN-to-LAN
    Source zones LAN
    Destination zones LAN
  4. Click Save.

Allow RED services

To allow RED services from the required zones, do as follows:

  1. Go to Administration > Device access.
  2. Under RED, select the zones in which your RED devices are located.

    Tip

    You can also create a Local service ACL exception rule for RED services. See Add local service ACL exception rule.

  3. Click Apply.

Select the zones in which your RED devices are located.