Distribute IPSec site-to-site network via OSPF

Hello,
I found a solution where IPSec networks are distributed via OSPF and would like to know if this is correct? Can I use this in a productive environment?

1. SSH -> 4. Device Console
2. system ipsec_route add net 192.168.123.0/255.255.255.0 tunnelname IPSEC-TUNNEL-NAME

3. SSH -> 3. Route Configuration -> 1. Configure Unicast Routing -> 2. Configure OSPF
4. enable -> configure terminal -> router ospf -> redistribute kernel
8. exit -> write memory

The routes previously defined with ipsec_route are distributed with redistribute kernel. The VPN tunnel has to be online as well. Can I use redistribute kernel or is this not recommended?

Thanks,
Patrick

Added TAGs
[edited by: Raphael Alganes at 9:14 AM (GMT -7) on 10 Oct 2024]

Top Replies

Sreenivasulu Naidu 1 month ago in reply to Patrick's +2

Patrick's , you can go with route based IPsec VPN if the other end of IPsec gateway supports and have OSPF over xfrm interface on SFOS to redistribute routes from SFOS and vice-versa.

Parents

0 Vivek Jagad 1 month ago

Hi Patrick's ,

Thank you for reaching out to the community, I recommend you to refer the KBA - Sophos Firewall: Configure OSPF over IPsec VPN And Sophos XG: OSPF Over IPSEC VPN (youtube.com)

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Patrick's 1 month ago in reply to Vivek Jagad

It's about IPsec connections to other companies. I have no access to the other site. The option with a GRE tunnel is not a solution that I can use.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Sreenivasulu Naidu 1 month ago in reply to Patrick's

Patrick's , you can go with route based IPsec VPN if the other end of IPsec gateway supports and have OSPF over xfrm interface on SFOS to redistribute routes from SFOS and vice-versa.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Patrick's 1 month ago in reply to Sreenivasulu Naidu

We have a lot of policy-based IPsec connections with external companies. Unfortunately, we can't change them. Is it safe to use redistribute kernel for policy-based IPsec connections or is there another solution?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Patrick's 1 month ago in reply to Sreenivasulu Naidu

We have a lot of policy-based IPsec connections with external companies. Unfortunately, we can't change them. Is it safe to use redistribute kernel for policy-based IPsec connections or is there another solution?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Sreenivasulu Naidu 1 month ago in reply to Patrick's

Patrick's , With the approach mentioned in your initial post, do you see OSPF neighbourship established between SFOS and other gateway? I doubt the session comes up; unless the session is up, how will the networks be distributed over OSPF?

What local and remote subnets you have in you policy based IPsec tunnel?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Patrick's 1 month ago in reply to Sreenivasulu Naidu

Yes I see OSPF neighbourship established between SFOS and other gateway on the local (LAN) Interface. The OSPF session is established. Currently I do not need OSPF via IPsec, I want the many IPsec subnets to my routers on the LAN side. Sorry for the confusion.

I have

redistribute kernel
redistribute connected
redistribute static

in a test environment to local OSPF neighbours.

With ‘redistribute connected’, all local subnets are distributed. With ‘redistribute static’, all static subnets from the GUI list are distributed. With ‘redistribute kernel’, the policy-based IPSec subnets are distributed. This works fine, but I can't find any documentation or indication if it is ok to use ‘redistribute kernel’. So everything works in my test environment. My only question is if it is allowed to use it in a sophos production environment?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 Mahalakshmi S 1 month ago in reply to Patrick's

Hi Patrick's ,

Yes, "redistribute kernel" CLI can be used to advertise such ipsec routes into OSPF domain. The command would include all the routes directly installed in the kernel, as part of the OSPF advertisements. The routes would be advertised as any other redistributed route(External routes, Type 5).

Thanks.
Cancel
Vote Up +2 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Patrick's 1 month ago in reply to Mahalakshmi S

Thanks! In my test with ‘redistribute kernel’ only the ipsec routes are transmitted. When using ‘redistrubute connected’, I was able to prevent unwanted routes (HA-Interface/MGM/WAN-Interface) with route map.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel