Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 20412 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Use UTM to UTM RED technology to replace IpSec VPN tunnel ?

LaurentCH

Hello all,

I'm new in Sophos UTM world, so I have what can be a real beginner question:

Is it a good idea to use RED technology to set-up a site-to-site tunnel between two UTM (sg-310 and sg-125) instead of setupping an IpSec VPN tunnel ?

I took a look here https://www.sophos.com/support/knowledgebase/120157.aspx and it seems to fulfill our requirements.

The particularity is the two UTM are located behind NAT Devices ( front firewall and router to traverse to reach internet).

Actually we tried to setup an IpSec VPN between the two UTM through NAT and experienced strange issue , the tunnel establishement went well but then, we had a lot "INVALID_MAJOR_VERSION" error message in the VPN debug console (like if the IKE version was different betwee the two UTM ?!?) and no trafic seemed to go throught the tunnel... so we gave up...

Now i'm wondering if using RED technology will simplify our life establishing the tunnel through NAT devices or if having NAT devices on both side can be an issue ?

Thanks in advance for your answers.

Best regards,



This thread was automatically locked due to age.
Parents
  • 0
    So, just to provide a feedback, UTM to UTM Red tunnel works perfectly through NAT devices. Just forwarded port 3400 TPC and port 3410 UDP but I think it's not necessary as it's only for RED v2 , if my understanding is correct ? ... So we will try to remove 3410 UDP to see if everything works fine after.

    Another question, what is the level of security of a RED tunnel in comparison with an IPSEC site-to-site VPN with a pre-shared key and 3DES or AES based policy ? I'm concerned not to receive a bad feedback from an audit because we use RED technology.
    Best regards,
  • +1 in reply to LaurentCH

    Hi, Laurent, and welcome to the UTM Community!

    I think that the most secure between two UTMs would be using X509 certificates with AES 128 PFS. A RED tunnel might be just as secure, but I don't know if it uses PFS. An IPsec tunnel using a PSK would be the least secure. 3DES is slower and less secure than AES. I don't remember details about the weakness(es) found in AES 256, but I don't have anyone configured with it.

    With both UTMs behind NAT, the most secure IPsec tunnel possible would be with RSA keys. Since you're only connecting two sites, that should be as secure as X509. Again, the RED tunnel should be fine, just not as fast as IPsec.

    Edit 2015-12-22: In addition to the above, you need to know that using RSA keys allows you to configure the 'VPN ID type' as "IP Address" in the Remote Gateway definition.  On each side, you need to use the LAN IP of the other endpoint in the 'VPN ID (optional)' field.  You then can use 'Gateway type: Initiate connection' in both Remote Gateway definitions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thanks for all your replies,

    So far, we are very happy with the RED tunnel which is very stable. Performances are fine for our needs.

    Best regards.
Reply Children
No Data
Unfiltered HTML