This article explains how to setup & configure site-to-site RED tunnels (also known as UTM-UTM RED).
Known to apply to the following Sophos product(s) and version(s)
Site-to-Site RED tunnels have a number of advantages over using SSL or IPsec to connect two UTMs. Unlike IPsec, the tunnel as a virtual interface on each end (helps with troubleshooting), and unlike the SSL VPN, the interface is configurable. Administrators have direct control over the address range used on the RED tunnel network, and will have a much easier time resolving routing and IP address conflict issues.
Logically, RED tunnels are easier to understand than other VPN methods: they are essentially the same as connecting a long virtual Ethernet cable from a virtual interface on one UTM, and plugging it into a virtual interface on the other. Firewall rules and static routes are used to allow traffic to go back and forth, in the same way that other internal interfaces are configured.
As opposed to using a RED device such as a RED10, RED15 or RED50, this tunnel type is best suited for environments that:
To setup a UTM-to-UTM RED tunnel, first choose one UTM to be the server. The server role is not related to how traffic will flow through the tunnel, only on which side will await connection, and which end will initiate the connection. If one UTM is located behind NAT, it's a good idea to use it as the client and the other UTM as the server. The server will wait for connections from the client.
Once a tunnel is setup, configuring traffic between two UTMs becomes purely a matter of routing and firewall rules. Please see below for instructions on setting up the tunnel, configuring the interfaces, configuring the routes, and then configuring the firewall.
Where to configure: WebAdmin
On the Server UTM:
This will generate a provisioning file for the remote UTM. Click the Download button, to save the .red provisioning file to disk.
On the Client UTM:
At this point, the tunnel should connect automatically; this normally takes around 30 seconds.
Once you click save, each UTM will have a virtual red interface that you'll need to configure next. The server's interface will be named reds#, and the client redc#, with # being the next available RED interface number.
The next step is to setup static routes on each UTM, telling them which networks are reachable via the UTM on the other end of the tunnel. This is known as split tunnelling (full tunnelling over a Site-to-Site RED is technically possible, but is not covered in this article).
On each UTM:
In the example in step 2, the server's RED interface address was 192.168.100.1, and the client's was 192.168.100.2. If the server UTM had a connected network of range 192.168.5.0/24, and the client UTM has the network 192.168.10.0/24, to allow clients on each respective network to communicate, you would configure the routes as follows:
The final step is to create firewall rules allowing traffic to flow between configured networks. Unfortunately, this cannot be done automatically, and must be configured using firewall rules. The configuration of these rules is the same as allowing traffic to flow between any two networks:
KB 116573 - Sophos RED (Remote Ethernet Device) Technical Training Guide KB 120263 - How to create Site-to-Site RED full tunnels
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.