Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
This article describes the steps on how to configure BGP routing over a Route-Based VPN (RBVPN) tunnel using the Sophos XG Firewall with SFOS version 18. This procedure will work between two Sophos XG Firewall devices as well as with a third-party network device as long as it supports RBVPN.
Note: This article does not provide in-depth information regarding BGP, RBVPN, or firewall technologies.
Applies to the following Sophos products and versionsSophos XG Firewall version 18
Establish BGP routing via RBVPN tunnel between the Head Office (HO) and the Branch Office (BO).
The configurations provided here are just an example. You can configure according to your organization's networks and requirements.
Configure the maximum path
Hello to all, I followed your configuration step by step but still does not see the session go up, it remains in ACTIVE, should I open some regular detail to let the neighboors communicate?
2 Tunnel are same UP but cannot establish the peering.
from one sophos:
router bgp 64743 bgp router-id public_IP network 10.0.4.0/24 neighbor 1.1.1.1 remote-as 64742 maximum-paths 2
Second Sophos:
router bgp 64742 bgp router-id Public_IP network 192.168.46.0/24 neighbor 2.2.2.2 remote-as 64743 maximum-paths 2
Thanks
Hello Claudio,
Thank you for contacting the Sophos Community.
What does the /log/bgpd.log shows?
Do you happen to have any static route pointing to the Public IP of the router(s)?
What is the output of bgp> enablebgp# show ip bgp
Regards,
Hello,
Thanks for the reply, no static route.This are my logs:XG125_XN02_SFOS 18.5.1 MR-1-Build326# tail -f /log/bgpd.log 2021/10/14 17:40:37 BGP: 2.2.2.2 [Event] Connect start to 2.2.2.2 fd 102021/10/14 17:40:37 BGP: 2.2.2.2 [Event] Connect failed (Operation now in progress)2021/10/14 17:40:39 BGP: Import timer expired.2021/10/14 17:40:54 BGP: Import timer expired.2021/10/14 17:41:09 BGP: Import timer expired.2021/10/14 17:41:18 BGP: Performing BGP general scanning2021/10/14 17:41:18 BGP: scanning IPv4 Unicast routing tables2021/10/14 17:41:24 BGP: Import timer expired.2021/10/15 08:58:18 BGP: Vty connection from 127.0.0.12021/10/15 08:58:18 BGP: ####Inside vty_create ()bgp# show ip bgpBGP table version is 0, local router ID is 185.43.150.248Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, R RemovedOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path*> 1.1.1.0/24 0.0.0.0 0 32768 i*> 192.168.46.0 0.0.0.0 0 32768 iTotal number of prefixes 2
thanks I look forward to your feedback
Hello, can i have your feedback? grazie
You need a static routing point the firewall to the next hop.
__________________________________________________________________________________________________________________
Sorry Luca, but which static?do you mean static through the xfrm interface? THe IPsec Tunnel Interface is Up and running but neighbor is in active mode:
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd22.22.22.22 4 65534 0 0 0 0 0 never Active
Yeah you need one route to the neighbor to indicate the way, if this is not present.
its already present
11.11.11.11/32 via xfrm2 and
22.22.22.22/32 via xfrm4
HO# sh runCurrent configuration:!hostname HOlog stdout!debug bgp events!router bgp 65533 bgp router-id x.x.x.x network 10.10.10.0/24 neighbor 22.22.22.22 remote-as 65534
router bgp 65534 bgp router-id x.x.x.x network 10.0.4.0/24 neighbor 11.11.11.11 remote-as 65533
RIB entries 1, using 64 bytes of memoryPeers 1, using 2484 bytes of memoryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd11.11.11.11 4 65533 0 0 0 0 0 never Active
But still in active mode
Another question: Could you try a static route with a gateway instead of an interface route? Not sure, if the peer will respond, if you simply blast it via XFRM4 out. Maybe you will need a a gateway address to respond to those packets.