This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site RED tunnel not working

Hi,

I'm having the hardest time setting up a Site-to-Site RED tunnel between two SG230 appliances.

I'm trying to establish a tunnel between our main site (subnet 10.0.0.0/16) and our remote site (subnet 10.3.0.0/16).

I was following the steps from the tutotial located at

https://community.sophos.com/kb/en-us/120157

and was able to get the RED-tunnel up.

However, setting the static routes as described in the howto does not work unfortunately, no traffic seems to pass between both UTMs.

I've defined the reds2 Interface on the main site UTM with the ip adress 192.168.200.1 (We have another RED tunnel to a RED15 appliance at another branch Office, which is why the server Interface is named reds2) and the redc1 Interface on the remote site with the ip adress 192.168.200.2.

At this Point, shouldn't I be able to ping both RED endpoints from either UTM? At the Moment, I'm unable to get any pings across.

Any help would be appreciated!

Dominik



This thread was automatically locked due to age.
Parents
  • Hi Dominik,

    To my knowledge, once a tunnel is setup, traffic between two UTMs becomes purely a matter of routing and firewall rules. Can you verify that you configured RED (Network) in the Gateway route definition instead of RED (Address).

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi,

    thanks for answering!

    I'm pretty sure it had something to do with routing, but I couldn't get it to work.

    I decided to scratch the RED setup and instead, went ahead and established a SSL-VPN Site-to-Site tunnel...lo and behold, everything worked right from the get-go.

    So I couldn't solve the original problem, but since Sohps UTM is crazy flexible you usually find a solution that works [:)]

    Thanks anyway!

  • Hi Dowagner,

    I've set up an ungodly amount of UTM to UTM RED tunnels in my time and i love them to bits except for sometimes the static routing can be a pain to do.

    Set the interface IPs of the UTMs virtual RED interfaces like as follows (with whatever IP you want but following this design):

    • UTM1 reds# has IP 10.254.254.1/30
    • UTM2 redc# has IP 10.254.254.2/30

    Then basically you have to make sure you set a static route for all remote networks like as follows:

    • On UTM1 set a static gateway route for all subnets behind UTM2 with the gateway target of 10.254.254.2
    • On UTM2 set a static gateway route for all subnets behind UTM1 with the gateway target of 10.254.254.1

    Then I make two firewall rules on both UTMs of which are:

    • All remote subnets allow any to all local subnets
    • all local subnets allow any to all remote subnets

    I have followed the method above for all my UTM to UTM RED tunnels I have never had a problem. The main problems people have are:

    • They haven't created the RED interfaces yet
    • Incorrect IP configuration for the reds/c interfaces resulting in a subnet mismatch/overlap
    • No static routes or static routes are incorrectly configured
    • No firewall rules allowing a connection being initiated to and from the two UTMs

    Additionally, the Any Service does not include ICMP pings, you will have to make sure you allow ping forwards in the Network Protection > Firewall > ICMP tab. Or add the ICMP service to your firewall rule.

    SSL VPN & IPSEC tunnels are nice and easy because it does all the virtual interfaces and IP addressing and static routing for you, with the RED UTM to UTM tunnels you have to do it all manually. But I've the RED tunnels to be up to 40% faster than IPSEC!

    Emile

  • Hi Emile,

    i followed exactly step by step your guide... Doesnt work...

    Site 1 - UTM at work (reds15 iface IP 10.30.1.1/30)

    Site 2 - UTM at home (redc15 iface IP 10.30.1.2/30)

     

    Site 1 one of LANs behind 10.10.1.0/24

    Site 2 LAN behind 192.168.6.0/24

     

    Static routing Site 1 - 192.168.6.0/24 - Gateway 10.30.1.2

    Static routing Site 2 - 10.10.1.0/24 - GW 10.30.1.1

     

    Firewall Site 1 - Site 2 subnet --any-- LAN 10.10.1.0/24 allow

    Firewall Site 2 - Site 1 subnet --any-- LAN 192.168.6.0/24 allow

    (also tested to add RED network into FW rule, same result)

     

    ICMP and PING allowed on both sites

     

    From UTM Tools at Site 2 im able to ping everything i want, including server in 10.10.1.0 subnet and also red interface 10.30.1.1

    From UTM Site 1 it is the same

     

    From client behind UTM Site 2 im able to ping only local red iface 10.30.1.2, nothing else

    From client behiind UTM Site 1 im able to ping only local red iface 10.30.1.1 but not remote 10.30.1.2 or any client...

    I think that RED interfaces should be normally pingable as they should act as directly connected...

    Nothing found in firewall log

    Where the hell can be problem?

     

    Thank you

  • Hi Vikino,

    That is really odd, could you provide the following screenshots from both UTMs:

    • Screenshot of RED Interfaces
    • Screenshot of Static Routes
    • Screenshot of Firewall Rules

    That would be fab, thanks.

    Emile

  • Site 1 acting as RED server:

    Site 2 client:

Reply Children
  • Hi Vikino,

    It looks like you are missing two firewall rules, do you have the two firewall rules:

    • Allowing LAN to Semily RED on Site 2
    • Red Semily to vitek_subnet2 on site1?

    Whats happening here is you're allowing the incoming traffic at each site but you're not actually allowing the initiating traffic which is behind the UTM, so a device in site2 could receive data from site 1, but then the UTM at site1 doesn't allow a device behind site1 out in the first place.

    Clone your rules but switch the sources and destinations and lets see what happens :)

    Emile

  • Done... And guess what? Still nothing :-)

    Btw. one of my firewall rules is LAN - any - any   allow, currently on both sites, because i dont know what else to try...and firewall is telling just nothing...just dropping some WAN traffic.

    One more thing im thinking about is that Site 1 subnet is behind RED50, but that should be not an issue, because from Site 2 UTM/Tools im able to ping that remote subnet 10.10.1.0/24 and servers in it...

  • Result...

    It is connected over 4G so the ping time is appropriate :-)

  • Just to make sure, you are using the UTM's as default gateway at both sides for the clients you are using in the ping test do you?


    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • Off course i do,you can see that on my last screenshot where is also ipconfig in window, im managing quite big company network so in basic settings there is absolutely no problem...

  • This is a long thread, so you all may well already have discussed the fact that ICMP/ping is not included in the "Any" service.  Do specific rules allowing ping between the subnets resolve this mystery?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    ping is included in fw rule,as it is on screenshots,also tried rule only for ping...

    To the hell with ping, but nothing is working, RDP, SSH,FTP...

    Bob should i be able to ping from client on both RED interfaces? I mean virtual iface on both sites...? The local one im able to ping,so internal routing works,but not remote...

    From UTM/Support/Tools/ping it works fine to ping everywhere...

  • I'll take a look at the pictures you posted, but, based on your last post, I wonder if there aren't routing problems outside the UTM.  What happens if you make a masq rule like 'Semily RED subnet -> LAN' in one UTM and a corresponding rule in the other?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    i tryied masq also like Semily subnet -> LAN and Semily subnet -> local RED interface...

    Nothing...

    Tracing route to 10.10.1.56 over a maximum of 30 hops

      1     2 ms     1 ms     3 ms  192.168.6.1
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.

  • You're using different network objects in the routes and firewall rules.  Is the problem that you need two firewall rules for traffic from the LAN to the remote subnet: one in the server side allowing traffic from the LAN to the remote subnet and one on the client that allows traffic from the server-side LAN to the client-side subnet.  In fact, before you do that, you should see blocks in the Firewall Live Log if this is the problem.

    If you still haven't solved the problem, Please make a diagram for us, including IPs and subnets.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA