Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 588 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

GRE Tunnel as SD-WAN Gateway

Jasmin Karaji

Hi

I have configured a GRE tunnel between two Sophos Firewalls and it works fine and I am able to ping both GRE tunnel IPs from other side. I am trying to add GRE tunnel IP address of other side as SD-WAN Gateway so I could route traffic by SDWAN rules instead of GRE routes. But as soon as I add gateway in one side, GRE tunnel disconnects.

I have done the same configuration on SFOS 18.5.2 in the past and I'm sure it definitely works.

Regards

Farshid



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    We prefer to use GRE for 2 reasons:

    1- Low bandwidth on WAN link which causes stability and performance issues over IPSEC tunnel. Also encryption is not needed.

    2- HQ firewall also has site to site connection with third party devices and we need a universal method for all site to site connections. 

  • 0 in reply to Jasmin Karaji

    I am alarming by your comment. 

    I would highly encourage you not to use an GRE Tunnel without any kind of Encryption over WAN. 

    The second point is not clear to me either. What do you mean by that? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    We do not need encryption on tunnel because application traffic that passes the tunnel uses encryption and we do not need another layer of encryption.

    By second part, I mean, we also have site to site connections with other BOs that are not using Sophos Firewall as edge FW/Router and we prefer to use a single method for communicating with other sites. For other branches we use GRE.

  • 0 in reply to Jasmin Karaji

    I would challenge that design decision but if you want to go through. I did not install a GRE Tunnel in 5 Years. Found this tech to be old and unflexible. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks, I know this is not optimal solution but under circumstances, with GRE we have better result.

Unfiltered HTML