How do I setup multiple site-to-site RED tunnels

John,

you can have multiple RED connecting back to one XG without any problem (on the datasheet there are a number of recommended RED devices per each XG).

The best thing to have is that each remote network location is using a different Network IP/Mask, so you do not to create bridge and add more confusion.

Please share the RED logs and what you have created on XG 430 so we are able to help you.

Regards

Just to make sure I am clear, I am not connecting RED devices back to my XG firewall, I am trying to connect XG firewall to XG firewall with RED tunnels.

Each remote site has a unique local subnet for all devices.  I thought the RED tunnels would all be part of one common WAN subnet that I can use for routing between sites.  We had a setup like that with our old Cisco 800 routers connecting back to a single Cisco 2850 router using DMVPN tunnels.  Each router had a specific IP address, but they were all part of the same subnet or range of IPs.

Also, we are running SFOS 16.01.2 on all firewalls.

Here is what I have setup on my XG430 at my data center:

Here is the RED setup on the one firewall that does work:

This XG firewall also has a RED connection to a firewall in my Tampa office so I can route traffic directly to them via that path:

So, I CAN do multiple RED client tunnels from one XG firewall, but each of those RED tunnels uses a different IP subnet.

Here is sample of the log on my XG430 at my data center when I had added a second RED tunnel from my office in Los Angeles:

Here is what I was adding in my Los Angeles firewall that would cause the issues (this is not currently setup, I removed it when I was seeing the conflict):

Here is how I got it all to work with RED interfaces.

I had to design 12 small subnets (29 bit, it wont let you go smaller, not sure why), one for each remote office that is a spoke of the hub at my data center.

I used 192.168.10.x with 255.255.255.248(29 bit) mask.  That gave me 32 subnets I can use for these links.

I plan on using 192.168.20.x with 255.255.255.248(29 bit) mask for second RED interfaces from each remote XG firewall to a second XG 430 at a second data center.  Then I hope to setup something like OSPF to handle routing or at least split my static routes or something.

I plan to use other subnets like 192.168.30.x/255.255.255.248 to create some remote site to remote site links for offices that do a lot of work with other offices.

In each subnet you use one IP address for the server side of the connection and a different one for the client side of the connection.  Once I had the RED interfaces connected, i pinged from each side to the other to verify the flow.  Then I updated my static routes and change them from using my IPSEC path to use the new RED path.  Once I had all of the paths working, i removed ALL IPSEC and GRE connections.  Seems to be working ok for now.

Even though both methods, IPSEC/GRE and RED, require a bunch of small subnets for each connection, the RED tunnels were easier to setup for they work great with client firewalls behind a NATed connection like we have in one of our offices.  All other sites have business grade internet connections with static IPs.

It is easier to see the status of the RED connections since they have a notice on the main dashboard when you connect to the XG firewall, that is a nice improvement.

I am going to leave this post open for any questions or other feed back from anyone that has done something like this.  I am still very new to how this works with Sophos and Sophos lacks any good documentation for their latest version of releases.  Even the professional support guy I talked to refered me to a UTM document about setting this stuff up.  It is close, but still different since their interfaces are so different.

   No one get answer for this, please help us, i need to connected all my branch office to main office, so i need to have one reds server in main office and all others branch as clients, some one help on this please