Site-to-Site RED tunnels have a number of advantages over using SSL or IPsec to connect two UTMs. Unlike IPsec, the tunnel as a virtual interface on each end (helps with troubleshooting), and unlike the SSL VPN, the interface is configurable. Administrators have direct control over the address range used on the RED tunnel network, and will have a much easier time resolving routing and IP address conflict issues.
Logically, RED tunnels are easier to understand than other VPN methods: they are essentially the same as connecting a long virtual Ethernet cable from a virtual interface on one UTM, and plugging it into a virtual interface on the other. Firewall rules and static routes are used to allow traffic to go back and forth, in the same way that other internal interfaces are configured.
As opposed to using a RED device such as a RED10, RED15 or RED50, this tunnel type is best suited for environments that:
Applies to the following Sophos products and versions Sophos UTM
To setup a UTM-to-UTM RED tunnel, first choose one UTM to be the server. The server role is not related to how traffic will flow through the tunnel, only on which side will await connection, and which end will initiate the connection. If one UTM is located behind NAT, it's a good idea to use it as the client and the other UTM as the server. The server will wait for connections from the client.
Once a tunnel is setup, configuring traffic between two UTMs becomes purely a matter of routing and firewall rules. Please see below for instructions on setting up the tunnel, configuring the interfaces, configuring the routes, and then configuring the firewall.
Where to configure: WebAdmin
On the Server UTM:
This will generate a provisioning file for the remote UTM. Click the Download button, to save the .red provisioning file to disk.
On the Client UTM:
At this point, the tunnel should connect automatically; this normally takes around 30 seconds.
Once you click save, each UTM will have a virtual red interface that you'll need to configure next. The server's interface will be named reds#, and the client redc#, with # being the next available RED interface number.
The next step is to setup static routes on each UTM, telling them which networks are reachable via the UTM on the other end of the tunnel. This is known as split tunnelling (full tunnelling over a Site-to-Site RED is technically possible, but is not covered in this article).
On each UTM:
In the example in step 2, the server's RED interface address was 192.168.100.1, and the client's was 192.168.100.2. If the server UTM had a connected network of range 192.168.5.0/24, and the client UTM has the network 192.168.10.0/24, to allow clients on each respective network to communicate, you would configure the routes as follows:
The final step is to create firewall rules allowing traffic to flow between configured networks. Unfortunately, this cannot be done automatically, and must be configured using firewall rules. The configuration of these rules is the same as allowing traffic to flow between any two networks:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.