Create a site-to-site RED tunnel
Set up a site-to-site RED tunnel between two Sophos Firewall devices without deploying a RED device. In this configuration, one device acts as the server and the other as the client.
Objectives
When you complete this unit, you'll know how to do the following:
- Add a RED interface on the server.
- Create a client firewall configuration.
- Create static routing so that internal networks have a route across the RED tunnel.
- Add firewall rules for tunnel traffic.
Add a RED interface on the server
The server listens for incoming connections, and the client device initiates the outgoing connection. Any upstream NAT may interfere with incoming connections. So, we recommend you select a non-NAT device to act as the server.
- On the server device, go to System services > RED and turn on the RED provisioning service.
- Go to Network > Interfaces, click Add interface, and select Add.
-
Specify the settings.
Option Description Branch name Server Type Firewall RED server Tunnel ID Automatic RED IP 192.0.2.25 Zone LAN -
Click Save.
The firewall generates a provisioning file.
-
For the RED interface, click Menu
and download the provisioning file.
-
Copy the file to a network location or removable drive that you can access from the client firewall.
Add a RED interface on the client
- Go to System services > RED and turn on the RED provisioning service.
- Go to Network > Interfaces, click Add interface, and select Add.
-
Specify the settings.
Option Description Branch name Client Type Firewall RED client Firewall IP/hostname 192.0.2.25 RED IP 198.51.100.100 Zone LAN -
Click Choose file and select the provisioning file you downloaded from the server.
- Click Save.
Add static routes
You need to configure static routing on both firewalls so that internal networks have a route across the RED tunnel.
- On the server firewall, go to Routing > Static routing.
- Click Add to create an IPv4 unicast route.
-
Specify the settings.
Option Description Example Destination IP / Netmask Specify the remote network's destination IP address and netmask. 192.168.20.0/24 Gateway Specify the IP address of the remote firewall. 192.168.100.2 Interface Select the RED interface. -
Go to the client firewall and specify the same routing.
Add firewall rule
For traffic to pass between the two firewalls, you must create a LAN-to-LAN or similar rule on each firewall.
Do as follows on the server and client firewall devices.
- Go to Rules and policies > Firewall rules.
- Select IPv4 or IPv6, select Add firewall rule, and then select New firewall rule.
-
Specify the settings.
Option Description Rule name LAN to LAN Source zones LAN Destination zones LAN -
Click Save.