Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 14064 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I setup multiple site-to-site RED tunnels

JohnSmock

I have one XG430 at my data center.

I have 11 remote XG210 and 1 XG115w firewalls at remote offices.

Currently we use IPSEC/GRE tunnels and static routing to connect and route traffic between sites.

I have one site setup (remote XG115w) that uses a RED tunnel to my XG430 at my data center.

I want to change from my IPSEC/GRE tunnels to RED tunnels at all my locations.

When I tried to add a second RED client (XG210 in Los Angeles) to my existing RED server (XG430 in Kansas City) at my data center, my first RED client (XG115w in Orlando) loses its connection while new client tries to connect.  From the logs, it seems that the two RED clients are conflicting when they are both trying to connect.

I feel like I am missing something fundamental in all of this.  I have only used XG firewalls, so I have no history with the UTM series of devices and that seems to be all the information I can find when it comes to setting up RED tunnels in a site to site setup.

Can I even do this?  I was hoping I can setup multiple XG210/115 firewalls to connect back to one single XG430 firewall at data center.  I thought I would be able to setup one server with many clients and just make sure the server and each client use a unique IP address in the same LAN subnet.  In my case I am using 192.168.50.0/24.  My RED server is 192.168.50.1 and my clients will each use a different IP address.

Can someone help explain what I am doing wrong?  Is this just not how it works?  Will I need to setup multiple RED servers at the data center XG430 firewall?  One for each remote client?  If so, does that mean I have to use a different IP address for each end of this setup like I do for my GRE tunnels (which sucks).

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Here is how I got it all to work with RED interfaces.

     

    I had to design 12 small subnets (29 bit, it wont let you go smaller, not sure why), one for each remote office that is a spoke of the hub at my data center.

    I used 192.168.10.x with 255.255.255.248(29 bit) mask.  That gave me 32 subnets I can use for these links.

    I plan on using 192.168.20.x with 255.255.255.248(29 bit) mask for second RED interfaces from each remote XG firewall to a second XG 430 at a second data center.  Then I hope to setup something like OSPF to handle routing or at least split my static routes or something.

    I plan to use other subnets like 192.168.30.x/255.255.255.248 to create some remote site to remote site links for offices that do a lot of work with other offices.

    In each subnet you use one IP address for the server side of the connection and a different one for the client side of the connection.  Once I had the RED interfaces connected, i pinged from each side to the other to verify the flow.  Then I updated my static routes and change them from using my IPSEC path to use the new RED path.  Once I had all of the paths working, i removed ALL IPSEC and GRE connections.  Seems to be working ok for now.

    Even though both methods, IPSEC/GRE and RED, require a bunch of small subnets for each connection, the RED tunnels were easier to setup for they work great with client firewalls behind a NATed connection like we have in one of our offices.  All other sites have business grade internet connections with static IPs.

    It is easier to see the status of the RED connections since they have a notice on the main dashboard when you connect to the XG firewall, that is a nice improvement.

    I am going to leave this post open for any questions or other feed back from anyone that has done something like this.  I am still very new to how this works with Sophos and Sophos lacks any good documentation for their latest version of releases.  Even the professional support guy I talked to refered me to a UTM document about setting this stuff up.  It is close, but still different since their interfaces are so different.

Reply
  • 0

    Here is how I got it all to work with RED interfaces.

     

    I had to design 12 small subnets (29 bit, it wont let you go smaller, not sure why), one for each remote office that is a spoke of the hub at my data center.

    I used 192.168.10.x with 255.255.255.248(29 bit) mask.  That gave me 32 subnets I can use for these links.

    I plan on using 192.168.20.x with 255.255.255.248(29 bit) mask for second RED interfaces from each remote XG firewall to a second XG 430 at a second data center.  Then I hope to setup something like OSPF to handle routing or at least split my static routes or something.

    I plan to use other subnets like 192.168.30.x/255.255.255.248 to create some remote site to remote site links for offices that do a lot of work with other offices.

    In each subnet you use one IP address for the server side of the connection and a different one for the client side of the connection.  Once I had the RED interfaces connected, i pinged from each side to the other to verify the flow.  Then I updated my static routes and change them from using my IPSEC path to use the new RED path.  Once I had all of the paths working, i removed ALL IPSEC and GRE connections.  Seems to be working ok for now.

    Even though both methods, IPSEC/GRE and RED, require a bunch of small subnets for each connection, the RED tunnels were easier to setup for they work great with client firewalls behind a NATed connection like we have in one of our offices.  All other sites have business grade internet connections with static IPs.

    It is easier to see the status of the RED connections since they have a notice on the main dashboard when you connect to the XG firewall, that is a nice improvement.

    I am going to leave this post open for any questions or other feed back from anyone that has done something like this.  I am still very new to how this works with Sophos and Sophos lacks any good documentation for their latest version of releases.  Even the professional support guy I talked to refered me to a UTM document about setting this stuff up.  It is close, but still different since their interfaces are so different.

Children