This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec S2S-Tunnel for more the 85+ VLANs per Site

Hello Community,

 

i have a question for the Sophos SG330 & SG430 IPSec-Tunnels (Firmware v9.605-1).

A customer of mine has two clusters of SG-Firewalls running. The SG330 OnSite and the SG430 Housed in a DataCenter (future place to be).

I'm trying to get a Connection from any local-Subnet (Location A: 172.20.0.0/16 - 91+ VLANs) to any DataCenter-Subnet (Location B: 10.199.0.0/16 - same 91+ VLANs) running.

 

Everything runs fine (incl. RSA-Auth) in the IPSec-Connection, but we actually have 8281 SA's when starting the connection.

This overwhelms the CPU & RAM. (100% CPU / 100% RAM) and doesn't reduce within in 2 Hours.

 

 

Is there a possibility to create a "Super-Tunnel", that allows Routing over a Tunnel (with Gateway on the Tunnelinterface).

So that i could be like this:

Both Sites have 1G Internet over fiber. Both Sites have public+static IPs.

Location A (192.168.251.1) >= IPSec-Tunnel  =< Location B (192.168.251.2)

Location A: like... route 10.99.0.0 mask 255.255.0.0 gw 192.168.251.2 (FW-A IP inside Tunnel)

Location B: link... route 172.20.0.0 mask 255.255.0.0 gw 192.168.251.1 (FW-A IP inside Tunnel)

 

I'm looking for something, that allows to create the tunnel, create a virtual Ethernet-Interface over which i can route the whole traffic.

I dind't find anything for that. Is this not possible, as this is a function only possible with the XG-Series?

Is there a different approach to adress all the remote Subnetz over one Super-Route?

 

Thank You for all your Ideas.

Franz



This thread was automatically locked due to age.
Parents
  • Hi  

    Creating an IPSec tunnel with these many subnets on each side does create performance issues in the device. Not only that, it would take a couple of minutes to turn off the entire IPSec tunnel if you want to troubleshoot.

    You can either create an SSL site-to-site between the devices or create a RED tunnel between the two SG devices. Please refer to the following KBAs:

    For your specific requirement, the RED tunnel should fit in properly. Creating a RED tunnel will create a virtual interface on each SG device and you should be able to configure routes of the VLANs over the virtual RED interface.

    Regards

    Jaydeep

  • Hello Jaydeep,

    Thank You for the Idea with the RED-Tunnel from Firewall-to-Firewall.

    I didn't think about that. That's a good idea.

    I've already testet this right now successfully with 9 VLAN's on each side/site and will now implement the Rest.
    The Strain on the Hardware is really "low" (below 35% average on 600MBit/s Traffic) which is fine for now.

    Great Input. THX

    Bye
    Franz

    Sophos Certified Architect - UTM
    using Sophos UTM since Astaro ASG v7 ;-)

    PDV-Systeme GmbH est. 1985 is
    Gold Solution Partner since 2009

  • I'm glad that you're able to start testing with RED to RED tunnel. Please post an update once you've entirely moved to RED tunnel.

    Regards

    Jaydeep

Reply Children
No Data