This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site RED Tunnels concentrator

We are trying to replace the IPSEC Tunnels between 8 UTM Firewalls with UTM RED Tunnel. Those require quite some routing and gateway and firewall rules.

If we want to use multiple RED Tunnels to a location, do we need to set up multiple interfaces/gateways or can we use on "RED Server" for multiple branch sites?



This thread was automatically locked due to age.
  • Hello,

    can you give us a diagram about that setup?

    Is that a mesh?

    Or is that 8 subsidiaries and one central site?

    Do you need to reach only the resources on the central site from each subsidiary?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • We are running several Sophos UTM with the 9.7 firmware: SG330 (HA), SG230 (HA), 4xSG115 and about 8 x RED15.

    All sites have ISP between 25/100 and 1000/1000 (main office).

    They are all connected using IPSEC or the RED Interfaces forming a hub and spoke connection (any site goes to any site).

    We are trying to replace the IPSEC connections with RED UTM Tunnels as the IPSEC Tunnels (there is about 50 to get that setup done) are having bad performance.

    So we are wondering if we need to setup a new RED Server Interface for each connection or only one RED Server interface for all connections.

  • Hello,

    you already have 8 RED15, you know how these are connected? There is a virtual interface for every RED-Tunnel like "reds1", "reds2" and so on.

    I would compare these to security associations in the IPsec configuration. You can define more than one RED-Tunnel on the remote UTMs, but AFAIK this is a one-by-one association, you cannot have more than one remote site connecting to a single "redsX" interface. You can have multiple remote networks, but that's not your point, I think.

    But, as I read your post again, it's normally IPsec that has the best performance in VPN-tunnels, so I wonder what your problem may be.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • The RED are for home-offices and connect to the SG/UTM Firewalls e.g. Homeoffice Germany to UTM-Germany, Homeoffice France to UTM-France. Each RED has one of those Interfaces as described by default. One some UTM we have 3 RED and therefore 3 Interfaces creating 3 Networks, one for each Homoffice User.

    We have BIG problems with our IPSEC Tunnels as they only get 5MBit throughput with 100/100 ISP connections (thread here).

    So we decided to give the UTM Tunnel a chance (not the RED appliance tunnel but UTM RED Tunnel that goes from UTM to UTM).

    When you create a UTM RED Tunnel, you create a UTM Server"RED Firewall Server". 

    In the picture you see, that we have created two "Servers", each connecting to a remote UTM Firewall that has a Client configuration (and manual routing and firewall rules).

     

    Additionally, you have to create an interface for each server to provide a gateway/path/route to that server and/or client.

    Those interfaces are simply gateways, the IP Range at the remote location is different then, having also an interface in the same network.

    It's quite complicated, that why there is a KB documentation.

  • The IPSEC connections were set to connect EACH network of EACH location to EACH location to enable internal calling. This is an overkill/security risk for one feature, we are aware.

  • Hello (what's your name?)

    I cannot confirm that UTM 9.701 causes slow IPsec tunnels. We have tunnels from Germany to USA, France, UK, Hungary ... all running full linespeed with IPsec.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.