Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 996 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec S2S-Tunnel for more the 85+ VLANs per Site

FHegnauer

Hello Community,

 

i have a question for the Sophos SG330 & SG430 IPSec-Tunnels (Firmware v9.605-1).

A customer of mine has two clusters of SG-Firewalls running. The SG330 OnSite and the SG430 Housed in a DataCenter (future place to be).

I'm trying to get a Connection from any local-Subnet (Location A: 172.20.0.0/16 - 91+ VLANs) to any DataCenter-Subnet (Location B: 10.199.0.0/16 - same 91+ VLANs) running.

 

Everything runs fine (incl. RSA-Auth) in the IPSec-Connection, but we actually have 8281 SA's when starting the connection.

This overwhelms the CPU & RAM. (100% CPU / 100% RAM) and doesn't reduce within in 2 Hours.

 

 

Is there a possibility to create a "Super-Tunnel", that allows Routing over a Tunnel (with Gateway on the Tunnelinterface).

So that i could be like this:

Both Sites have 1G Internet over fiber. Both Sites have public+static IPs.

Location A (192.168.251.1) >= IPSec-Tunnel  =< Location B (192.168.251.2)

Location A: like... route 10.99.0.0 mask 255.255.0.0 gw 192.168.251.2 (FW-A IP inside Tunnel)

Location B: link... route 172.20.0.0 mask 255.255.0.0 gw 192.168.251.1 (FW-A IP inside Tunnel)

 

I'm looking for something, that allows to create the tunnel, create a virtual Ethernet-Interface over which i can route the whole traffic.

I dind't find anything for that. Is this not possible, as this is a function only possible with the XG-Series?

Is there a different approach to adress all the remote Subnetz over one Super-Route?

 

Thank You for all your Ideas.

Franz



This thread was automatically locked due to age.
Parents
  • +1

    Hi  

    Creating an IPSec tunnel with these many subnets on each side does create performance issues in the device. Not only that, it would take a couple of minutes to turn off the entire IPSec tunnel if you want to troubleshoot.

    You can either create an SSL site-to-site between the devices or create a RED tunnel between the two SG devices. Please refer to the following KBAs:

    For your specific requirement, the RED tunnel should fit in properly. Creating a RED tunnel will create a virtual interface on each SG device and you should be able to configure routes of the VLANs over the virtual RED interface.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Hello Jaydeep,

    Thank You for the Idea with the RED-Tunnel from Firewall-to-Firewall.

    I didn't think about that. That's a good idea.

    I've already testet this right now successfully with 9 VLAN's on each side/site and will now implement the Rest.
    The Strain on the Hardware is really "low" (below 35% average on 600MBit/s Traffic) which is fine for now.

    Great Input. THX

    Bye
    Franz

    Sophos Certified Architect - UTM
    using Sophos UTM since Astaro ASG v7 ;-)

    PDV-Systeme GmbH est. 1985 is
    Gold Solution Partner since 2009

  • 0 in reply to FHegnauer

    I'm glad that you're able to start testing with RED to RED tunnel. Please post an update once you've entirely moved to RED tunnel.

    Regards

    Jaydeep

Reply Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?