Overview

This article explains how to set up a site-to-site RED tunnel between two Sophos XG Firewalls, without the need of a separate RED device.

The following sections are covered:

• How to create a RED tunnel
  • Server firewall configuration
  • Client firewall configuration
• Static routes
• Firewall rules
• Related information
  

Applies to the following Sophos products and versions
Sophos Firewall version 16 and above

How to create a RED tunnel

To setup, an XG to XG RED tunnel, choose one XG Firewall to be the server. The device picked to be a server listens for incoming connections, and the client device initiates the outgoing connection. Any upstream NAT may interfere with incoming connections, so it is best to have the non-NATed device act as a server.

Please see below for instructions on setting up the tunnel, configuring the interfaces, configuring the routes, and then configuring the firewall.

Server firewall configuration

1. Go to System Services > RED and toggle RED status to the ON position.
2. Fill out the options below and click Apply to enable the RED feature.
• Organization name
• City
• Country
• Email
3. Navigate to Network > Interfaces and click Add interface on the upper right.
4. Select Add RED from the drop-down list.
5. Enter the RED settings details for the server firewall and then click Save.




• Branch name: Enter the name of the remote location in which the RED is to be set up.
• Type: Firewall RED Server
• Tunnel ID: Automatic
• RED IP: The IP address for the server side of the RED tunnel.
• RED netmask: The subnet mask for the entire network used by the RED tunnel. The network must have at least two addresses available in the space.
• Zone: LAN
• Tunnel compression: Compresses the traffic to be smaller but may use more system resources.
6. A provisioning file is generated for the remote XG Server Firewall. Click  and then the Download provisioning file to save the .red provisioning file to disk.

 

Client firewall configuration

Repeat steps 1 through 5 as shown above and fill out the details shown below when adding the RED interface and then click Save.

• Branch name: Enter the name of the remote location in which the RED is to be set up.
• Type: Firewall RED Client
• Firewall IP/hostname: The public IP of the RED Server Firewall.
• Provisioning file: Click here to upload the provisioning file that was downloaded when configuring the RED Server.
• RED IP: The IP address for the client side of the RED tunnel.
• RED netmask: The subnet mask for the entire network used by the RED tunnel, it will need to have at least two addresses available in the space.
• Zone: LAN

Static routes

1. On the site-to-site RED tunnels, static routing needs to be manually configured. Navigate to Routing > Static routing.
2. Click on Add to create an IPv4 unicast route.     
3. On this screen fill in the following information:



4. Create static routes on both XG Firewall's so that internal networks have a route across the RED tunnel.

Firewall rules

For traffic to pass between the two firewalls, a LAN to LAN or similar rule must be created on each firewall.

1. Navigate to Firewall
2. Click Add to create a firewall rule.
3. Create a rule to allow traffic between the Zones the RED belongs to and other Zones used by the static routes.

The image below shows an example of a standard LAN to LAN rule so that all traffic can cross between the networks on the LAN zones

Note:

• The method for an XG Firewall to Sophos UTM tunnel is similar but you must select Firewall RED Client Legacy or Firewall RED Server Legacy when creating the interfaces on the XG.
• If the RED server firewall have more than one WAN interface, a sys-traffic-nat rule is necessary to force a correct NAT for the RED server firewall. This can be done in the XG Firewall's console.
  
  

Related information

• Sophos XG Firewall: RED (Remote Ethernet Device) technical training guide
• Sophos UTM: RED (Remote Ethernet Device) technical training guide