Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 27 subscribers
  • Views 10049 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Gre Tunnel between Sophos XG's

ReinoutNL

Hi,

 

I've followed the reference documentation https://community.sophos.com/kb/en-us/123290, https://community.sophos.com/kb/en-us/123291/ I'm new to GRE tunnels but i understand the use of them.

 

In the scenario according to the documentation you have a branch office and a main office. I have a S2S ipsec connection (ikev2), and it's working.

Now i want to broadcast information across the vpn bidirectionaly for those subnets for services running in either network. So they can consume it from my network or me from them.

I'm a little confused about:

Step 1: Create an IPsec VPN Tunnel

 

In the IPsec configuration: Make sure that the WAN IP of the Head Office's Sophos Firewall is included in the Trusted Local Subnet on the Head Office side and the Trusted Remote Subnet on the Branch Office side. Then make sure that the WAN IP of Branch Office Sophos Firewall is included in the Trusted Local Subnet on the Branch Office side and the Trusted Remote Subnet on the Head Office side.

I'm guessing this is so when you setup the GRE tunnel it won't go to the public path but will force the traffic over the IPSEC tunnel? In my scenario the main office has a dedicated public IP directly on the Sophos XG but the branche office is behind a router and doesn't really have a Public IP. it's got a internal static IP for WAN and LAN. So how does this impact my GRE setup? Do i add the internal IP of my IPSEC in the branch office as the destination? (the branch office is offcourse a home network, and has a dynamic IP)

Can somebody help me through my first GRE tunnel experience :)

Regards,

 

Reinout Pennings

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Reinout,

    We're doing this (albeit with some issues of our own), so I can give you a break down of what you need in your vpn config. in our case I have a gre tunnel I setup via the cli between our Sophos XG and a Cisco Router.  I tested that first to make sure it worked without ipsec.

     

    Then we move on to ipsec.

     

    So basically in the vpn setup , you can try the following

    Local Networks

    1.)   The LAN Segment definition that your Sophos is protecting (ie.  "LAN" (192.168.20.X/24)

    2.)  WAN/OUTSIDE IP of your local Sophos (X.X.X.X/32)  

    3.) IP of GRE TUNNEL Sophos side Endpoint (X.X.X.X/32)

     

    Remote Networks

    1.) WAN IP of your Remote Device(other sophos or cisco) (X.X.X.X/32)  

    2.) IP address of Other end of GRE Tunnel(remote end)(X.X.X.X/32)  

    3.) Remote Subnets that you need to talk to (10.10.80.0/24) 

     

    You shouldn't need to add an GRE routes or IPSEC routes via the CLI (just setup the GRE Tunnel from CLI and that is it)

     

    I hope this helps.

     

    -Scott

     

     

     

     

     

  • 0 in reply to Scott_D_L

    oops sorry, just missed the sentence in your original post where you said the Sophos is behind another router.  Im not sure if a gre tunnel other than from sophos<-->sophos/device  is supported.

     

    -Scott

  • 0 in reply to Scott_D_L

    Hi Scott,

    It is xg to xg so i’ll set it up as you said. No extra routes

Reply Children
  • 0 in reply to ReinoutNL

    I tried setting it up.

     

    Sophos XG --> Router (forwards traffic) --> Sophos XG just the tunnel. Is there a way to validate the tunnel?

     

    Regards,

     

    Reinout Pennings

  • 0 in reply to ReinoutNL

    Hi had a idea about the gre tunnel and NAT.

     

    so you have to make sure the public endpoints are in the local network of the ipsec tunnel so the gre tunnel wil automaticly route its traffic via the ipsec. So on one end i have a xg directly attached to the public with no router in between it.

    At the other location (second home) i have a router in between it doing port forwarding for ipsec. so the sophos xg has a WAN interface with a internal ip. If i'd create a alias on the wan port for say a internal ip on my end and another on the first home location wouldn't that act as a loopback ip address and automaticly route the traffic over the ipsec anyway?

     

    Regards,

     

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?