This article describes the steps on how to configure OSPF (Open Shortest Path First) routing over an IPsec VPN tunnel using the Sophos XG Firewall (SF). This procedure will work between two Sophos XG Firewall device as well as with a third-party network device as long as it supports IPsec VPN and GRE (Generic Routing Encapsulation) tunneling.
A GRE tunnel is necessary in order for this setup to work. It is good for passing routing protocols across different sites but it doesn't provide security. The packets will be encapsulated and will have an additional header but it will not be encrypted. In order to provide security, the traffic will have an additional layer of security which is the IPsec VPN tunnel.
Note: This article does not provide in-depth information regarding OSPF, IPsec VPN, GRE tunnels or firewall technologies.
Applies to the following Sophos products and versions Sophos Firewall
Establish OSPF routing via IPsec VPN tunnel between the Lightbulb Corp and Acme Corp.
system gre tunnel add name <Name> local-gw <WAN Port> remote-gw <WAN IP of the remote site> local-ip <Virtual IP of the local site> remote-ip <Virtual IP of the remote site>
system gre tunnel add name LbGre local-gw Port2 remote-gw 192.168.20.2 local-ip 192.168.5.1 remote-ip 192.168.5.2
system gre tunnel add name AcmeGre local-gw PortB remote-gw 192.168.20.1 local-ip 192.168.5.2 remote-ip 192.168.5.1
system gre tunnel show
Note: Make sure that ping is enabled for the VPN zone in both XG Firewalls. Go to Administration > Device Access. Click Apply to save the settings.
The following illustration shows that there are two layer 3 information from the packet capture; the virtual IP and the public IP on top of it for both XG Firewalls. These packets are completely unencrypted while passing through the internet, which is unsecure.
From the steps done above, we have successfully configured a GRE tunnel between the Lightbulb Corp and the Acme Corp. In order to provide security for the traffic, an IPsec VPN tunnel will be configured as an added layer of security.
In the scenario, OSPF is used as the routing protocol. Therefore, the head office WAN IP and the branch WAN IP will be used for the Local Subnet and Remote Subnet field of the IPsec connection respectively.
Note: With the addition of the IPsec VPN tunnel to the GRE tunnel, packet capture will not be seen in plain text. The GRE tunnel runs inside the IPsec VPN tunnel and provides the path to allow routing protocol communication between the two sites.
Repeat the same steps as above using Acme Corps's WAN IP and networks.
show ip ospf interface <GRE tunnel name>
show ip ospf database
show ip ospf neighbor
Note: If there is no OSPF neighbor seen, make sure that the Dynamic Routing is enabled for the VPN zone in the Device Access settings. Go to Administration > Device Access. Under the Local Service ACL section, tick the box under the Dynamic Routing for the VPN zone.
Follow the steps below for both sites.
The configurations discussed above will allow you to route OSPF via IPsec VPN tunnel.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.