RED between UTM - routing works, but UTM on both sides can't access the network

Hi,

Have you configured the firewall rules necessary to allow traffic to flow between configured networks?

Please see our KB article for instructions: How to configure Site-to-Site RED Tunnels

Thanks,
Karlos

Hi there.

It's most likely missing some firewall rules, as Karlos pointed out. Just to make things clearer: you probably have your UTMs' RED interfaces on a private network. for example, 192.168.100.0/24 with UTM 1 on 192.168.100.1 and UTM 2 on 192.168.100.2. Since your networks are able to communicate, I take it you have a firewall rule on both UTMs allowing each subnet to connect to each other, but you are lacking a firewall rule to allow the remote UTM to communicate with your local networks. You are probably assuming the traffic from the UTM would reach the other side with it's LAN IP, but in fact it will reach the other side with the IP from the RED interface, so your firewall rules allowing both subnets to communicate won't cover this traffic.

Try this, assuming the example I used with UTM1 on 192.168.100.1 and UTM 2 on 192.168.100.2. Replace with the IP from your RED interfaces

UTM 1:

From 192.168.100.2 (UTM 2 RED interface IP) -> Any -> Internal

From Internal -> any -> 192.168.100.2 (UTM 2 RED interface IP)

UTM2:

From 192.168.100.1 (UTM 1 RED interface IP) -> Any -> Internal

Internal -> Any -> 19.168.100.1 (UTM 1 RED interface IP)

Of course, replace "any" with the services you want to allow though if you wish to be more restrictive.

Regards,

Giovani

"The only problem is, the UTMs can't access the networks on the other side, PING isn't working either.

Devices within this networks are able to access the other networks."

Sorry, you lost me.  What can access what where?  What can't access what where?  What items are selected on the 'ICMP' tab of 'Firewall' on both sides?

Cheers - Bob

Hi,

• Site 1 is a UTM with 10.30.0.0/23
• Site 2 is XG with 10.20.0.0/23

Devices within 10.20.0.0/23 can access everything within 10.30.0.0/23, except the XG.

Devices within 10.30.0.0/23 can access everything within 10.20.0.0/23, except the UTM. The UTM should connect to the Domaincontroller with 10.20.0.10 for User authentication.

The UTM gets a connection time out while testing the settings, as well as the UTM can't ping the server.

Traceroute shows, that there is a hop the RED Interface IP of the UTM, but nothing further.

What selections have you made on the 'ICMP' tab of 'Firewall' in the UTM?  What about the corresponding ones in the XG?

Cheers - Bob

Your RED interfaces have IP addresses, right? What are they? Incluse THOSE IP addresses in your firewall rules. Example:

10.20.0.0/23 AND RED IP from UTM 1 -> Any -> 10.30.0.0/23 AND RED IP from UTM 2.

And vice-versa.

Regards,

Giovani

The IPs are 10.20.0.1 and 10.30.0.1 and they are included in my rules...

10.20.0.0/23 and 10.30.0.0/23

OK, I'm having a really hard time understanding your setup. Here is the article on how to configure Site-to-Site RED tunnels: https://community.sophos.com/kb/en-us/120157

As showed in the article, RED interfaces have their own network on which they communicate and where you route traffic between the UTMs. I have dozens of setups like this and all of them have a separate network for RED communication. I don't see how your RED interfaces could have an IP from you internal network AND still route traffic to the other side, unless you are not using RED at all. So, to make things clear, please replace the diagram below with your current settings:

UTM1 LAN Network/Subnet -> UTM 1 LAN IP -> UTM 1 RED IP -> UTM 2 RED IP -> UTM 2 LAN IP -> UTM 2 LAN Network/Subnet.

Regards,

Giovani

Your current settings don't allow for trace routes or pings to transit the UTM nor do they allow the UTM to respond to trace routes or pings.  The "Any" service is TCP and UDP only - none of the other IP protocols are included.  Specifically, ping and trace route are not included in the "Any" service.

Cheers - Bob