Use UTM to UTM RED technology to replace IpSec VPN tunnel ?

Question

Hello all, 
 I'm new in Sophos UTM world, so I have what can be a real beginner question: 
 Is it a good idea to use RED technology to set-up a site-to-site tunnel between two UTM (sg-310 and sg-125) instead of setupping an IpSec VPN tunnel ? 
 I took a look here https://www.sophos.com/support/knowledgebase/120157.aspx and it seems to fulfill our requirements. 
 The particularity is the two UTM are located behind NAT Devices ( front firewall and router to traverse to reach internet). 
 Actually we tried to setup an IpSec VPN between the two UTM through NAT and experienced strange issue , the tunnel establishement went well but then, we had a lot "INVALID_MAJOR_VERSION" error message in the VPN debug console (like if the IKE version was different betwee the two UTM ?!?) and no trafic seemed to go throught the tunnel... so we gave up... 
 Now i'm wondering if using RED technology will simplify our life establishing the tunnel through NAT devices or if having NAT devices on both side can be an issue ? 
 Thanks in advance for your answers. 
 Best regards,

BAlfson · Accepted Answer

Hi, Laurent, and welcome to the UTM Community! I think that the most secure between two UTMs would be using X509 certificates with AES 128 PFS. A RED tunnel might be just as secure, but I don't know if it uses PFS. An IPsec tunnel using a PSK would be the least secure. 3DES is slower and less secure than AES. I don't remember details about the weakness(es) found in AES 256, but I don't have anyone configured with it. With both UTMs behind NAT, the most secure IPsec tunnel possible would be with RSA keys. Since you're only connecting two sites, that should be as secure as X509. Again, the RED tunnel should be fine, just not as fast as IPsec. 
 Edit 2015-12-22: In addition to the above, you need to know that using RSA keys allows you to configure the 'VPN ID type' as "IP Address" in the Remote Gateway definition. On each side, you need to use the LAN IP of the other endpoint in the 'VPN ID (optional)' field. You then can use 'Gateway type: Initiate connection' in both Remote Gateway definitions. 
 Cheers - Bob

Use UTM to UTM RED technology to replace IpSec VPN tunnel ?

Top Replies