Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2947 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Dual XGS Site to Site RED tunnel

Melvin Zill

Hello everyone,

I am quite new to Sophos and just recently bought two Sophos XGS, a XGS 107 for the main site and a XGS 87 for a remote site about 5500km away. I am currently configuring and testing everything before flying there in two weeks for the install. I got the XGS at the main site set up to where everything works fine, however I still haven't implemented restricting Rules and basically allow any to any...

I also have set up a RED tunnel between the two

My Network looks a bit like this:

Main Site:

172.16.100.0/24

Dynamic DNS is used as there is no static IPV4

RED Interface: 172.16.222.1/24

Remote Site

172.16.200.0/24

Currently this unit also gets its uplink through the network here, will later go on one of these wireless broadband connections

RED Interface: 172.16.222.2/24

In terms of Rules to allow RED Traffic, both XGS Units have a LAN to LAN (any) Rule

Static Routing has been configured like this:

On Main Site:

Destination IP: 172.16.200.0/24

Gateway: 172.16.222.2/24

Interface 172.16.222.1/24

AD: 1

Metric: 0

On Remote Site:

Destination IP: 172.16.100.0/24

Gateway: 172.16.222.1/24

Interface 172.16.222.2/24

AD: 1

Metric: 0

The red connection is successfully established. However I have no communication between both units. I can't ping in between them from any one of the XGS Untis, let alone ping a host that is directly connected to the other XGS.

At this point I have no idea what I am doing wrong. I tried pretty much everything I read up online (like disabling Tunnel Compression), to no avail. I also put this post up on Reddit where I got some leads, but nothing that pointed me in the right direction. I am 100% certain this is some extremely rookie mistake, but I just can't figure it out...

Thanks so much for your understanding and replies

Melvin (Germany)

Also if this post in any way is against guidelines I am extremely sorry. Let me know!



This thread was automatically locked due to age.
  • 0

    Hi Melvin,

    Thank you for reaching out to Sophos Community.

    To better understand your query, I'll add the following information.

    • Check if you're using the right zones on both ends>>I think so

    • Check if the tunnel is actually established (should be green text next to the interface in Networks) >It is, text is green

    • Try pinging the RED IPs from the XG Webinterface -> Diagnostics > doesn't work (packets 100% dropped)

    • Check if you see where the packets are dropped using traceroute (Windows: tracert -d [HOST behind RED])> They are dropped at the firewall when pinging from my main site

    • Use the firewall rule tester (you find it in the log viewer) and see if the rule matches.> I find nothing (though I might have to have that licensed?!) I currently only have the network protection licence.

    To verify, kindly share the following information

    • What is the zone of your Red Interface for both site
    • Firewall Rule for the RED interface 
    • Do a Trace route from PC going to other sites, then share logs from the log viewer ( what FW rule was it dropped)

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    Hello, sorry for the late reply I have been extremely busy lately. 

    To your Questions:

    1. Both are LAN Zone Interfaces

    2. I currently have (for testing) a rule setup that allows any traffic from LAN to LAN

    3. It says allowed... See Photo...

    I literally have no clue what is not working here...

    Best regards,

    Melvin

  • 0

    Overall, why not using XFRM Instead? Do you have a reason to use RED? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Heard it was the only solution to work over a Starlink connection… What are the Advantages of XFRM? 

  • 0 in reply to Melvin Zill

    So basically RED is Port3400 and 3410 based on SSLVPN. 
    XFRM uses IPsec. I am not sure, if there is something not working of IPsec with Starlink, could be an MTU issue. 
    But you can adjust the MTU size (on both protocols) and check if this resolved your problem. 
    Likely it is your problem with RED and with IPsec. Lower the MTU on the interface. 

    __________________________________________________________________________________________________________________

Unfiltered HTML