Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 27 subscribers
  • Views 7825 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pros/Cons of RED site-to-site tunnel and encryption

ZaneDonaldson

I just configured a RED tunnel to replace an IPsec tunnel between two XG boxes.  everything works fine but I am left with a couple of questions:

 

1. what are the advantages of the RED tunnel in comparison to IPsec?

  - one advantage I have found:  easier to add routes without the need to take the tunnel down and/or reconfigure the tunnel itself.

2. what are the negatives compared to IPsec?

3. which method provides better throughput in general?

4. what encryption method does the RED tunnel utilize.



This thread was automatically locked due to age.
  • 0

    Hi Zane,

    I will try to answer some of these.  With anything, the use of Red or Ipsec will depend on what you need to do.  I personally love Red tunnels and will use them whenever I can.  To me they are simpler to deploy, and since the firewall sees it as an interface, it's easier to setup routing/gateways/etc.

    Answers:

    1.  Simple to configure.  Simple to setup routing and gateways as it's an interface in the firewall.  Since it's essentially an SSL tunnel, it can connect through multiple NAT devices.

    2.  The firewall can't terminate as many Red tunnels as it can IPSec.  Red is only a Sophos implementation so you can't use it for 3rd party vendors like you can with standard IPSec.

    3.  I can not validate it, but I have been told repeatedly that it performs faster than IPSec.  I don't necessarily believe it, but I have no data to stand on.  I just assume the performance penalty regardless of IPSec or Red.

    4.  AES256

     

    One scenario I use it is for remote site termination to an Azure XG firewall.  Don't have to deal with any of the Azure IPSec stuff and it just works.  We also tend to deploy UTM appliances at branches (have been bitten with some Red appliance issues in the past) and we will utilize a Red tunnel back to HQ.  We then setup that Red tunnel as the primary gateway forcing all traffic through to HQ.  We have the actual ISP connection on those remote UTM's for failover if needed. 

    I'd love to hear feedback from others as well.

    Thanks,

    John