Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 3611 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Tunnel between two UTMs

poetter
Hi all,

I setup a IPSEC tunnel between two UTMs. 

The Setup is as follows

Site A:

Connection:
Remote Gateway: Site B Remote Gateway
Local Interface Site As public interface
Policy AES-256 PFS
Local Networks: Any
No Automatic FW Rules, Strict routing, or bind tunnel to local interface

Remote Gateway:
Type: initiate
Gateway. Site Bs public IP
Remote Networks: 172.19.0.0/16


Site B:
Remote Gateway: Site A Remote Gateway
Local Interface Site Bs public interface
Policy AES-256 PFS
Local Networks: 172.19.0.0/16
No Automatic FW Rules, Strict routing, or bind tunnel to local interface

Connection:
Type: initiate
Gateway. Site As public IP
Remote Networks: Any

We want to route any traffic from site B through the tunnel to site A.
Everything connected behind the UTM at site B is just fine, but the UTM at site B itself is not able to ping Site A. The traffic is routed to the public interface of site B.

Do I have to enable "Bind tunnel to local interface" at site B to enable tunnel routing for UTM itself, or did i miss something else?

Thx in advance


This thread was automatically locked due to age.
  • 0
    You shouldn't use ANY in any VPN connection. In site A use site A's local subnet(s) as Local  Network(s) and enter exactly the same subnet's at site B as 'Remote networks'.

    The same way as you already configured the 172.19.0.0/16 network for site B. 

    In your situation you could probably create a RED-tunnel between the 2 UTM's. A RED client network does just what you want.

    You could also try to add 0.0.0.0/0 where now you have ANY but I don't know whether that would work.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0 in reply to apijnappels
    Don't know about a RED tunnel with two UTM instead of one UTM and one RED. Haven't seen this setup yet. How would one set this up?

    If I don't use any at the remote site, the internet traffic is not routed to site A. If I try to create a network definition for 0.0.0.0/0 UTM tells me that it is the same as Any and it will disable all used any rules.

    So, how to setup a tunnel, that routes all traffix to site A, that is useable for all networks behind site Bs UTM and UTM itself?
  • 0
    On RED Management -> Server Client Managment you can add a new connection. There you can choose between RED 10, RED 50 or UTM. Use UTM and enter a branch name.

    You can then download the config which you can upload in the other site (which will then act like being a RED) on RED Management -> Client Tunnel Management -> Add Tunnel

    This will create the RED tunnel between the two UTM's.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

Unfiltered HTML