Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 586 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GRE Tunnel as SD-WAN Gateway

Jasmin Karaji

Hi

I have configured a GRE tunnel between two Sophos Firewalls and it works fine and I am able to ping both GRE tunnel IPs from other side. I am trying to add GRE tunnel IP address of other side as SD-WAN Gateway so I could route traffic by SDWAN rules instead of GRE routes. But as soon as I add gateway in one side, GRE tunnel disconnects.

I have done the same configuration on SFOS 18.5.2 in the past and I'm sure it definitely works.

Regards

Farshid



This thread was automatically locked due to age.
  • 0

    Hello  ,

    Thank you for reaching out to the community, please refer the Routing and NAT for IPsec tunnels.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thank you for your answer but I don't know how this guide help mw with this issue. Maybe, I should explain it better.

    I have two firewall and I want to create a GRE tunnel between them. I used following commands to create the tunnel:

    Sophos Firewall 1> system gre tunnel add name gre1 local-gw Port2 remote-gw E.F.G.H local-ip 192.168.32.1 remote-ip 192.168.32.2

    Sophos Firewall 2> system gre tunnel add name gre1 local-gw Port2 remote-gw A.B.C.D local-ip 192.168.32.2 remote-ip 192.168.32.1

    GRE tunnel establishes successfully and I can ping 192.168.32.2 from Sophos Firewall 1 and vice versa.

    Next logical step would be creating GRE routes using "system gre route" command on both firewalls but I need to use SDWAN rules to route traffic between two sites to have more control and also to have failover ability on GRE tunnels. So I add a SDWAN gateway from Routing > Gateways

     As soon as I create this gateway on firewall, I cannot ping 192.168.32.1 on the same firewall any more. Here is the packet capture result in same firewall. ICMP request exists from firewall from GRE interface with GRE interface source IP address but it never reaches the destination.

    As I mentioned my original post, I have configured same scenario on another project that had a Sophos Firewall with SFOS 18.5.2 MR2 and it worked successfully.

    Can anyone help me with this issue? 

    Regards

    Farshid

  • 0

    Why are you using GRE Tunnels? 

    Use Route Based VPN (Tunnel Interfaces). 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    We prefer to use GRE for 2 reasons:

    1- Low bandwidth on WAN link which causes stability and performance issues over IPSEC tunnel. Also encryption is not needed.

    2- HQ firewall also has site to site connection with third party devices and we need a universal method for all site to site connections. 

  • 0 in reply to Jasmin Karaji

    I am alarming by your comment. 

    I would highly encourage you not to use an GRE Tunnel without any kind of Encryption over WAN. 

    The second point is not clear to me either. What do you mean by that? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    We do not need encryption on tunnel because application traffic that passes the tunnel uses encryption and we do not need another layer of encryption.

    By second part, I mean, we also have site to site connections with other BOs that are not using Sophos Firewall as edge FW/Router and we prefer to use a single method for communicating with other sites. For other branches we use GRE.

  • 0 in reply to Jasmin Karaji

    I would challenge that design decision but if you want to go through. I did not install a GRE Tunnel in 5 Years. Found this tech to be old and unflexible. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks, I know this is not optimal solution but under circumstances, with GRE we have better result.

Unfiltered HTML