Under Review

Create Google Cloud Specific GBP Over IPSec Documentation

I spent roughly 4 days getting BGP configured between our Google Cloud Platform VPC, and one of our on-prem Sophos XG Firewalls. With the following references, and with help from Tyler in support, we were finally able to establish BGP sessions.

https://support.sophos.com/support/s/article/KB-000038375?language=en_US

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/125806/sophos-xg-firewall-set-up-ipsec-tunnel-between-aws-vpn-gateway-and-xg-v18-with-bgp

Although these guides were helpful, there are several things that aren't explained and simply aren't obvious (no matter what cloud provider you are trying to establish a BGP session with).

1. The "Router ID" in the "BGP" screen doesn't appear to actually do anything. You can set this to any value and it doesn't affect the BGP session (at least BGP over IPSec). This is very confusing, because a user will try inputting either a WAN IP, or Link Local BGP IP into this field, but it won't do anything. Why is this field here?

2. This is related to issue #1. The issue is "Where to Set the link-local BGP IP addresses". The first document doesn't mention this at all. It wasn't until much trail and error, and reading the second doc very carefully, that we noticed we didn't have an "xfrm" interface being created by our IPSec tunnels. We needed to change our "Connection Type" to "Tunnel Interface" to get the XFRM interface to appear. Once we had the XFRM interface, we finally pieced together that this is where to bind the link-local BGP IP.

3. Not clear what IP to set for neighbors. Simiar to the above, it isn't really clear if you should use the BGP IP of the neighbors, or if you should use the WAN IP of the VPN tunnel. 

4. No obvious way to see if things are working from the Sophos side, lack of debug. It wasn't until I was clicking around in the "Information" tab that I realized my "Remote Router ID" for my neighbors was "0.0.0.0". This led me to try and find a way to bind the BGP IP to the IPSec tunnel, which is how we finally discovered the need to create the XFRM interface. I would recommend specifically calling out to look at this screen, and that if you see "0.0.0.0", things aren't configured correctly, and you probably need to edit your XFRM interface and make sure your neighbor has the correct AS and BGP IP.

Hopefully these tips and issues are helpful, it would be great to have a GCP-specific guide for configuring BGP over IPSec from Sophos, instead of just piecing things together from various community posts.