This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site-to-Site RED tunnel not working

Hi,

I'm having the hardest time setting up a Site-to-Site RED tunnel between two SG230 appliances.

I'm trying to establish a tunnel between our main site (subnet 10.0.0.0/16) and our remote site (subnet 10.3.0.0/16).

I was following the steps from the tutotial located at

https://community.sophos.com/kb/en-us/120157

and was able to get the RED-tunnel up.

However, setting the static routes as described in the howto does not work unfortunately, no traffic seems to pass between both UTMs.

I've defined the reds2 Interface on the main site UTM with the ip adress 192.168.200.1 (We have another RED tunnel to a RED15 appliance at another branch Office, which is why the server Interface is named reds2) and the redc1 Interface on the remote site with the ip adress 192.168.200.2.

At this Point, shouldn't I be able to ping both RED endpoints from either UTM? At the Moment, I'm unable to get any pings across.

Any help would be appreciated!

Dominik



This thread was automatically locked due to age.
Parents
  • Hi Dominik,

    To my knowledge, once a tunnel is setup, traffic between two UTMs becomes purely a matter of routing and firewall rules. Can you verify that you configured RED (Network) in the Gateway route definition instead of RED (Address).

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi,

    thanks for answering!

    I'm pretty sure it had something to do with routing, but I couldn't get it to work.

    I decided to scratch the RED setup and instead, went ahead and established a SSL-VPN Site-to-Site tunnel...lo and behold, everything worked right from the get-go.

    So I couldn't solve the original problem, but since Sohps UTM is crazy flexible you usually find a solution that works [:)]

    Thanks anyway!

  • Site 1 acting as RED server:

    Site 2 client:

  • Hi Vikino,

    It looks like you are missing two firewall rules, do you have the two firewall rules:

    • Allowing LAN to Semily RED on Site 2
    • Red Semily to vitek_subnet2 on site1?

    Whats happening here is you're allowing the incoming traffic at each site but you're not actually allowing the initiating traffic which is behind the UTM, so a device in site2 could receive data from site 1, but then the UTM at site1 doesn't allow a device behind site1 out in the first place.

    Clone your rules but switch the sources and destinations and lets see what happens :)

    Emile

  • Done... And guess what? Still nothing :-)

    Btw. one of my firewall rules is LAN - any - any   allow, currently on both sites, because i dont know what else to try...and firewall is telling just nothing...just dropping some WAN traffic.

    One more thing im thinking about is that Site 1 subnet is behind RED50, but that should be not an issue, because from Site 2 UTM/Tools im able to ping that remote subnet 10.10.1.0/24 and servers in it...

  • Result...

    It is connected over 4G so the ping time is appropriate :-)

  • Just to make sure, you are using the UTM's as default gateway at both sides for the clients you are using in the ping test do you?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • Off course i do,you can see that on my last screenshot where is also ipconfig in window, im managing quite big company network so in basic settings there is absolutely no problem...

  • This is a long thread, so you all may well already have discussed the fact that ICMP/ping is not included in the "Any" service.  Do specific rules allowing ping between the subnets resolve this mystery?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    ping is included in fw rule,as it is on screenshots,also tried rule only for ping...

    To the hell with ping, but nothing is working, RDP, SSH,FTP...

    Bob should i be able to ping from client on both RED interfaces? I mean virtual iface on both sites...? The local one im able to ping,so internal routing works,but not remote...

    From UTM/Support/Tools/ping it works fine to ping everywhere...

  • I'll take a look at the pictures you posted, but, based on your last post, I wonder if there aren't routing problems outside the UTM.  What happens if you make a masq rule like 'Semily RED subnet -> LAN' in one UTM and a corresponding rule in the other?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    i tryied masq also like Semily subnet -> LAN and Semily subnet -> local RED interface...

    Nothing...

    Tracing route to 10.10.1.56 over a maximum of 30 hops

      1     2 ms     1 ms     3 ms  192.168.6.1
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.

Reply
  • Hi Bob,

    i tryied masq also like Semily subnet -> LAN and Semily subnet -> local RED interface...

    Nothing...

    Tracing route to 10.10.1.56 over a maximum of 30 hops

      1     2 ms     1 ms     3 ms  192.168.6.1
      2     *        *        *     Request timed out.
      3     *        *        *     Request timed out.

Children
No Data