Hi All,
I made a video on how to configure OSPF across an IPSEC Tunnel using the Sophos XG. Hope you find it useful. I'm also open to video suggestions if you have any :)
This thread was automatically locked due to age.
Hi All,
I made a video on how to configure OSPF across an IPSEC Tunnel using the Sophos XG. Hope you find it useful. I'm also open to video suggestions if you have any :)
I finally got it fixed. My issue was routing priority.
By default XG (17.0.8MR8) is using the following routing precedence:
I went into the CLI used option 4 to get to the console and then changed the precedence with:
console> system route_precedence set vpn policyroute static
I'm now seeing ESP traffic in wireshark and no HTTP traffic when accessing the webserver from my client
UPDATE:
I give up.. the traffic was unencrypted again after a reboot of the XG appliances.... RED tunnels seems like the only option
Sophos UTM 9.3 Certified Engineer
Sophos UTM 9.3 Certified Architect
Sophos XG v.15 Certified Engineer
Sophos XG v.17 Certified Engineer
Sophos XG v.17 Certified Architect
Hi Kenneth
I have the same case and actually the traffic via IPsec tunnel don't encrypted.
Description my case:
- Using OSPF via IPsec Tunnels between HO and Brach site (both of SophosXG)
- I have following the KB https://community.sophos.com/kb/en-us/131827
So I have some question about this KB and hope you can help me:
- Do you know how to set the subnet mask for GRE tunnel ?, seem the GRE tunnel using the default mask by the class
- Up to date, Have any solution to fix unencrypted via IPsec or RED tunnels is the best choice ?
- In my topology; the sophos at HO site will be using default original-information for default route to Sophos-Brach to learn ? But seem the Sophos-Brach alway prefer the defaultGW of WAN Link over OSPF, can you know how to fix it ?
Thank so much
Hi Gecko,
I had the same experience initially, but eventually got it working and saw only ESP packages until i did a reboot of the appliances, then the traffic showed up as unencrypted again.
-There's to my experience, no way to set the subnet mask for the GRE tunnel.
-OSPF over RED is working fine and GRE isn't needed since you get an interface to do the routing on. IPSec on the other hand is broken until we see the issue number from my previous post as fixed in the changelog. I hope they will fix it in one of the next releases, cause it's a serious security issue.
-I have never tried that, so you're on your own on that one. But have you looked here?
Sophos UTM 9.3 Certified Engineer
Sophos UTM 9.3 Certified Architect
Sophos XG v.15 Certified Engineer
Sophos XG v.17 Certified Engineer
Sophos XG v.17 Certified Architect
Hi Kenneth
Thank you for your respone
-There's to my experience, no way to set the subnet mask for the GRE tunnel.
=> ok, I got it
-OSPF over RED is working fine and GRE isn't needed since you get an interface to do the routing on. IPSec on the other hand is broken until we see the issue number from my previous post as fixed in the changelog. I hope they will fix it in one of the next releases, cause it's a serious security issue.
=> Ok, I got it
-I have never tried that, so you're on your own on that one. But have you looked here?
=> Yes, I mean the Sophos_Branch have learn default roue over OSPF well (the default route show in OSPF routing table) but when I try connect to Internet from PC-Branch and the traffic alway using defaultGW of WAN link instead of OSPF.
My case is all traffic will focus to HO, not go though direct from local site.
Hi Kenneth
Thank you for your respone
-There's to my experience, no way to set the subnet mask for the GRE tunnel.
=> ok, I got it
-OSPF over RED is working fine and GRE isn't needed since you get an interface to do the routing on. IPSec on the other hand is broken until we see the issue number from my previous post as fixed in the changelog. I hope they will fix it in one of the next releases, cause it's a serious security issue.
=> Ok, I got it
-I have never tried that, so you're on your own on that one. But have you looked here?
=> Yes, I mean the Sophos_Branch have learn default roue over OSPF well (the default route show in OSPF routing table) but when I try connect to Internet from PC-Branch and the traffic alway using defaultGW of WAN link instead of OSPF.
My case is all traffic will focus to HO, not go though direct from local site.
And you have set the default-information originate on your HQ site?
It should be straight forward when looking at this article https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/47868-ospfdb9.html
Routing order in SFOS is the following:
Kernel Routing:
XG Routing (you can change the precedence of these three):
Could it be the Masquerading in your firewall rule that makes the traffic leave the local interface? I will have to play around with it next week if you need more help
Sophos UTM 9.3 Certified Engineer
Sophos UTM 9.3 Certified Architect
Sophos XG v.15 Certified Engineer
Sophos XG v.17 Certified Engineer
Sophos XG v.17 Certified Architect
I made a setup in my homelab with OSPF over RED interfaces. The OSPF route table on branch office has learned the 0.0.0.0/0 route via 172.16.10.1 but as you said the traffic still leaves the local wan interface.
I made a work around by creating a static route on the Branch office 0.0.0.0/0.0.0.0 gateway 172.16.10.1 <-- RED interface on HQ... And now the traffic leaves my HQ, we are either doing something wrong or the feature isn't working, my guess is the latter, since creating a static route defeats the purpose of dynamic routing
HQ | Branch |
RED: 172.16.10.1/30 | 172.16.10.2/30 |
LAN: 192.168.89.0/24 | 192.168.91.0/24 |
Default Information Originate: always, metric 0 |
Sophos UTM 9.3 Certified Engineer
Sophos UTM 9.3 Certified Architect
Sophos XG v.15 Certified Engineer
Sophos XG v.17 Certified Engineer
Sophos XG v.17 Certified Architect
Hi Kenneth
Yes, I have tried created static route like you before and it's work, but seem so wierd right.
The default route is learned via OSPF and we must create one more static route with the same next hop.
I don't understand this is behavior of Sophos or something wrong. :)
Again, thank you so much for your all respone until now.
XG does not put the default route obtained by ospf in the Main table.
For it to use Zebra and enter the route it is necessary to use the "ospf push-default-route-to-kernel" command.
To do this, you must go through the cli in the OSPF configuration option (select 3, 1, and 2).
ospf> enable
ospf# configure terminal
ospf(config)# router ospf
ospf(config-router)# ospf push-default-route-to-kernel