Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 14053 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I setup XG to XG RED interface with version 16

JohnSmock

I currently have 11 remote sites with XG210s connected back to a XG430 at our primary data center.

They all run version 15 SFOS.

I have a second XG430 at my data center that I have upgraded to ver 16 and I want to try setting up a RED tunnel between it and a new XG115w firewall.  This new XG115w will be going to a remote office that resides in a shared Regus office space.  Here we currently have internet, but it sits behind a NAT device.  I cannot seem to setup my traditional IPSEC/GRE tunnels setup like I did for all my other locations due to this NAT device we must go through.

I want to try our the RED tunnel between my new XG115 (ver16) and my second XG430 (ver16) firewall.

I am trying to understand how RED works in general and all I seem to find are posts with people using the UTM devices to setup RED tunnels OR RED devices connections.

I need help setting up RED tunnels between two XG firewalls.



This thread was automatically locked due to age.
Parents
  • +1

    John,

    1. make sure that proper ports are opened ( I do not know which ports are used, use drop-packet capture to see what ports are blocked!)
    2. On one XG add the red interface inside the network interfaces and add for example 192.168.10.10/24 or a network that is not yet used
    3. Download the provisioning file from the point 2
    4. On the other XG add the red interface and import the provisioning file point 3
    5. Add the Public XG Server ip inside the field Firewall IP/Hostname
    6. Set another ip inside the same network (point 1) inside the red IP (for example 192.168.10.11/24)
    7. Add the proper LAN to LAN firewall rule to allow traffic
    8. Create unicast route from Routing Options where destination network is remote LAN (not 192.168.10.10 but the internal network); gateway is 192.168.10.20 on XG server and 192.168.10.10 on XG client;red interface is 192.168.10.10 on red server and 192.168.10.20 on red client

     

    Regards,

Reply
  • +1

    John,

    1. make sure that proper ports are opened ( I do not know which ports are used, use drop-packet capture to see what ports are blocked!)
    2. On one XG add the red interface inside the network interfaces and add for example 192.168.10.10/24 or a network that is not yet used
    3. Download the provisioning file from the point 2
    4. On the other XG add the red interface and import the provisioning file point 3
    5. Add the Public XG Server ip inside the field Firewall IP/Hostname
    6. Set another ip inside the same network (point 1) inside the red IP (for example 192.168.10.11/24)
    7. Add the proper LAN to LAN firewall rule to allow traffic
    8. Create unicast route from Routing Options where destination network is remote LAN (not 192.168.10.10 but the internal network); gateway is 192.168.10.20 on XG server and 192.168.10.10 on XG client;red interface is 192.168.10.10 on red server and 192.168.10.20 on red client

     

    Regards,

Children
  • 0 in reply to lferrara

    Thank you for the quick reply, I always get so much faster replies in these forums than the main support, but I digress...

     

    Have have some questions.

    Just to make sure I understand some basics here, when I enables the RED services, I had to complete 4 fields:  Organization Name, City, Country, Email

    Is there anything to plan ahead with these fields that is important down the road with RED

    Do they have to be unique?  What if I have two offices in the same City, would that matter or do I need to somehow make them different?

    What is actually happening when I enter this info and apply it?  Does this "register" the service with a centralized service at Sophos?  If I use my email address, am I supposed to get something when I apply these changes?

    The only documents I have found all pertain to UTM and they are just different enough that they do not seem to help me.

    I did get it to work!  Thank you!  However, I want to make sure I understand some of the finer points since I want to do this with ALL 11 of my remote locations.

    Ok, so back to what you told me:

    1. make sure that proper ports are opened ( I do not know which ports are used, use drop-packet capture to see what ports are blocked!)
      1. These are TCP/UDP ports 3400 and I think 3410, they are open and seem to be fine at least when I enable RED it worked...
    2. On one XG add the red interface inside the network interfaces and add for example 192.168.10.10/24 or a network that is not yet used
      1. I setup my XG430 firewall to be the central hub for all sites and I selected "Firewall RED server"
      2. I left tunnel ID to AUTO and it choose 1
      3. I gave it an ip address of 192.168.100.1
      4. Should I enable Tunnel Compression?  What does it do?
    3. Download the provisioning file from the point 2
      1. I just found where this was located to download and got it
      2. Will I use this same provisioning file for all of my new Firewall Clients as I set them up? 
    4. On the other XG add the red interface and import the provisioning file point 3
      1. I setup my XG115w firewall for a remote office and I selected  "Firewall RED client"
      2. I left tunnel ID to AUTO and it choose 1
    5. Add the Public XG Server ip inside the field Firewall IP/Hostname
      1. I added the public IP address of my XG 430 hub firewall
    6. Set another ip inside the same network (point 1) inside the red IP (for example 192.168.10.11/24)
      1. I gave it an ip address of 192.168.100.1
    7. Add the proper LAN to LAN firewall rule to allow traffic
      1. I added this rule, but I did not see any traffic on it and removed it, I can still ping to subnets in the central side of my network
    8. Create unicast route from Routing Options where destination network is remote LAN (not 192.168.10.10 but the internal network); gateway is 192.168.10.20 on XG server and 192.168.10.10 on XG client;red interface is 192.168.10.10 on red server and 192.168.10.20 on red client
      1. I added routes on my client firewall for two large catch all subnets, I used 192.168.100.1 as my gateway and I selected the reds1 interface, this all seems work work so far

    So, based on this setup, if I add more remote office XG firewalls, I just repeat the client side setup like I did here, right?

    Also, if I have two possible XG430 firewalls to connect to, is it just a matter of building a second RED interface at each remote firewall and setting up appropriate routes?

    Can I enable OSPF routing protocol at a point and will these interfaces participate in building a route table?

    Thanks again for your help!

  • 0 in reply to JohnSmock

    so I am super late to the game on this response!

     

    but, I noticed on item number 2 subpoint C and on item number 6 subpoint a you listed the same ip address.  either that is a typo or you actually need to change them.

     

    I think they need to be on the same subnet but not the same addresses.