Site-to-Site RED tunnel not working

Question

Hi, 
 I'm having the hardest time setting up a Site-to-Site RED tunnel between two SG230 appliances. 
 I'm trying to establish a tunnel between our main site (subnet 10.0.0.0/16) and our remote site (subnet 10.3.0.0/16). 
 I was following the steps from the tutotial located at 
 https://community.sophos.com/kb/en-us/120157 
 and was able to get the RED-tunnel up. 
 However, setting the static routes as described in the howto does not work unfortunately, no traffic seems to pass between both UTMs. 
 I've defined the reds2 Interface on the main site UTM with the ip adress 192.168.200.1 (We have another RED tunnel to a RED15 appliance at another branch Office, which is why the server Interface is named reds2) and the redc1 Interface on the remote site with the ip adress 192.168.200.2. 
 At this Point, shouldn't I be able to ping both RED endpoints from either UTM? At the Moment, I'm unable to get any pings across. 
 Any help would be appreciated! 
 Dominik

vikino · Accepted Answer

REBOOT!

sachingurung · Answer

Hi Dominik, 
 To my knowledge, once a tunnel is setup, traffic between two UTMs becomes purely a matter of routing and firewall rules. Can you verify that you configured RED (Network) in the Gateway route definition instead of RED (Address). 
 Thanks

dowagner · Answer

Hi, 
 
 thanks for answering! 
 I'm pretty sure it had something to do with routing, but I couldn't get it to work. 
 I decided to scratch the RED setup and instead, went ahead and established a SSL-VPN Site-to-Site tunnel...lo and behold, everything worked right from the get-go. 
 So I couldn't solve the original problem, but since Sohps UTM is crazy flexible you usually find a solution that works [:)] 
 Thanks anyway!

Emile Belcourt · Answer

Hi Dowagner, 
 I've set up an ungodly amount of UTM to UTM RED tunnels in my time and i love them to bits except for sometimes the static routing can be a pain to do. 
 Set the interface IPs of the UTMs virtual RED interfaces like as follows (with whatever IP you want but following this design): 
 
 UTM1 reds# has IP 10.254.254.1/30 
 UTM2 redc# has IP 10.254.254.2/30 
 
 Then basically you have to make sure you set a static route for all remote networks like as follows: 
 
 On UTM1 set a static gateway route for all subnets behind UTM2 with the gateway target of 10.254.254.2 
 On UTM2 set a static gateway route for all subnets behind UTM1 with the gateway target of 10.254.254.1 
 
 Then I make two firewall rules on both UTMs of which are: 
 
 All remote subnets allow any to all local subnets 
 all local subnets allow any to all remote subnets 
 
 I have followed the method above for all my UTM to UTM RED tunnels I have never had a problem. The main problems people have are: 
 
 They haven't created the RED interfaces yet 
 Incorrect IP configuration for the reds/c interfaces resulting in a subnet mismatch/overlap 
 No static routes or static routes are incorrectly configured 
 No firewall rules allowing a connection being initiated to and from the two UTMs 
 
 Additionally, the Any Service does not include ICMP pings, you will have to make sure you allow ping forwards in the Network Protection > Firewall > ICMP tab. Or add the ICMP service to your firewall rule. 
 SSL VPN & IPSEC tunnels are nice and easy because it does all the virtual interfaces and IP addressing and static routing for you, with the RED UTM to UTM tunnels you have to do it all manually. But I've the RED tunnels to be up to 40% faster than IPSEC! 
 Emile