Hello this is my topology. The connection between Site 1 and Site 2 is IPsec VPN
How to do so that clients from Site 2 be able to access the file server in Site 1 network? File server is in VLAN 130.
In network Site 2 not defined VLAN. I use 2 device Sophos XG Firewall
How can I do to VLANs over Ipsec Site-to-Site VPN
Hi Stilian,
There is no need to do VLANs over an IPsec tunnel. In fact, VLANs are at Layer 2 and cannot be passed through an IPsec tunnel.
All you need is to properly define the tunnel on both sides without worrying that there's a VLAN on one side.
Cheers - Bob
Hi Bob,
he's talking about heartbeat. That musst be in the same VLAN (as I know).
An other way would be an UTM-RED-Tunnel. Here you can transmit VLANs over VPN. But I'm not familiar with the XG series and if there it is also possible to build UTM-RED tunnels.
Viele Grüße / Best Regards,
Manu
- CISO -
- Sophos SCA & Partner-
Manu nailed it. I read right past the heartbeat issue. A RED is a Remote Ethernet Device - like having a long cable connected. I also don't know if RED is supported on XG.
Cheers - Bob
Neko, I think your issue is better placed in the XG Firewall forum. There are the geeks for what is possible with the XG and what not ;-).
BTW for all other readers here: it is also possible to build RED-tunnels between two UTMs. So we manage two of our branch offices with only MPLS to the headquarter and can build new networks without to ask the provider everytime to route them over MPLS.
Viele Grüße / Best Regards,
Manu
- CISO -
- Sophos SCA & Partner-
H Neko,
From my understanding, it should work as IPSec will just add its header for encryption and authentication to the packet. I guess simply defining the local and remote network in the IPSec policy and a static route to reach the VLAN from the UTM should do the job. I have never come across such scenario so it will be interesting to know if that works.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Sachin, if you check with the developers, I think they will tell you that the UTM strips the VLAN tag upon receiving the packet. It adds the tag to a packet leaving via a VLAN Interface. Let us know.
Cheers - Bob
PS Can the XG do RED tunnels?
Hi Bob,
Even if the VLAN tag is stripped off from the packet, the UTM will still forward it on the basis of destination IP address/network on Layer 3. When the receiving UTM see's a packet for VLAN network it will add the tag and forward thorugh the respective interface. I think defining the remote and local network in the IPSec policy, should do the job.
Let's await reply from Neko once he test's this scenario.
Yes, XG do RED tunnels.
Thanks
Sachin Gurung
Team Lead | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link.
Hi all,
I've spoken today with our windows geek in our admin-team. The windows cluster works with multicast heartbeat. So perhaps it is possible to resolve it via multicast routing.
But now that we know that XG also do RED tunnels, I think it would be easier to realize it with a RED tunnel.
Viele Grüße / Best Regards,
Manu
- CISO -
- Sophos SCA & Partner-