RED Site to Site Routing

Question

I am trying to get a RED Site to Site connection between a UTM (server) and an XG (client) to work. Here is what I have done so far: 
 
 1. RED Zone 
 I defined a RED zone with similar characteristics to the LAN zone. 
 2. RED Interface in XG 
 Defined RED interface, provided provisioning file from UTM and assigned zone as RED. Works like a charm! 
 3. Firewall Rule 
 Added two simple zone rules. RED to LAN and LAN to RED. 
 4. Static Routing 
 This is where I am struggling. In the UTM we defined our rule as gateway under static routing, but I can't seem to find the same in XG. I am guessing that I need to setup a Unicast Route with the desired network on the UTM as the destination and the interface pointing to the RED interface defined above. But what is the gateway? On the UTM the gateway IP points to an interface, but how does this work on the XG? 
 
 Thank you for your feedback! 
 Cheers, 
 Jens

Emile Belcourt · Accepted Answer

Hi Jens, 
 You're right it will be a unicast route and you'd set the source as the net behind the XG and the destination gateway to the RED interface IP of the UTM. On the UTM you'd create a gateway route for the net behind the UTM with the target as the XGs RED interface IP address :) 
 Other than that, what you've said about the rest of your config looks good! 
 Hope that helps you, 
 Emile

lferrara · Answer

Jens, 
 a tcpdump output will help us. Also what is the output of traceroute command? 
 Thanks

Emile Belcourt · Answer

Hi Jens, 
 To do a TCPDump on the XG we will need to use Shell and I will detail what you need to do below :) 
 Firstly we need to make sure SSH access is allowed by going to Administration > Device Access > Enable shell for the zone your device is going to be connecting to it from (i.e. LAN) 
 Next we need an SSH tool like Putty which you can download from here: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (you only need putty.exe) 
 Once it's downloaded and SSH is enabled on the XG we will connect to it by running putty and entering the IP of the XG and making sure the XG button is selected. After it is connected you may receive a cert error which you can click yes to and ignore then you will be asked to login. This will be the "admin" (without quotes) login and password when prompted. 
 We will now need to go to advanced shell which is option 5 then option 3. 
 Now we need to do a TCPDump of the communications coming from the UTM network (10.10.a.x) so we can either do it by host IP or grapeshot it with the entire network and I will detail these below which you will need to type in (correcting my missing digits due to obfuscation): 
 tcpdump -veni any host <ipaddress of device you're testing from> 
 tcpdump -veni any net 10.10.a.0/24 
 The first will focus the filter only on the host IP of either the destination/source stream of your test (angle brackets are also removed) and in the second command, once you've replaced a with your missing octet, will filter out and show any packets coming from that network. 
 The results of this will be either: 
 
 Packets are arriving from the host/network and the XG has a bad firewall rule setup 
 Packets aren't arriving from the host/network and there is a problem with the UTMs firewall rules or the tunnel itself 
 
 Hopefully it's the first because that's easier to diagnose :) 
 Looking forward to your response! 
 Emile

JensStraten · Answer

It turns out that the XG doesn't support tunnel compression. So, once I turned that off, it started working. :) 
 Now, I just need to figure out why the WAN interface cannot do the DHCP renewal... 
 A big thank you to Luk for all his help on this one! 
 Cheers, 
 Jens