Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
This article describes the steps on how to configure BGP routing over a Route-Based VPN (RBVPN) tunnel using the Sophos XG Firewall with SFOS version 18. This procedure will work between two Sophos XG Firewall devices as well as with a third-party network device as long as it supports RBVPN.
Note: This article does not provide in-depth information regarding BGP, RBVPN, or firewall technologies.
Applies to the following Sophos products and versionsSophos XG Firewall version 18
Establish BGP routing via RBVPN tunnel between the Head Office (HO) and the Branch Office (BO).
The configurations provided here are just an example. You can configure according to your organization's networks and requirements.
Configure the maximum path
Hello to all, I followed your configuration step by step but still does not see the session go up, it remains in ACTIVE, should I open some regular detail to let the neighboors communicate?
2 Tunnel are same UP but cannot establish the peering.
from one sophos:
router bgp 64743 bgp router-id public_IP network 10.0.4.0/24 neighbor 1.1.1.1 remote-as 64742 maximum-paths 2
Second Sophos:
router bgp 64742 bgp router-id Public_IP network 192.168.46.0/24 neighbor 2.2.2.2 remote-as 64743 maximum-paths 2
Thanks
Yeah you need one route to the neighbor to indicate the way, if this is not present.
__________________________________________________________________________________________________________________
its already present
11.11.11.11/32 via xfrm2 and
22.22.22.22/32 via xfrm4
HO# sh runCurrent configuration:!hostname HOlog stdout!debug bgp events!router bgp 65533 bgp router-id x.x.x.x network 10.10.10.0/24 neighbor 22.22.22.22 remote-as 65534
router bgp 65534 bgp router-id x.x.x.x network 10.0.4.0/24 neighbor 11.11.11.11 remote-as 65533
RIB entries 1, using 64 bytes of memoryPeers 1, using 2484 bytes of memoryNeighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd11.11.11.11 4 65533 0 0 0 0 0 never Active
But still in active mode
Another question: Could you try a static route with a gateway instead of an interface route? Not sure, if the peer will respond, if you simply blast it via XFRM4 out. Maybe you will need a a gateway address to respond to those packets.
The tunnel is up but i see that the interface of xfrm2 in disabled (why if the tunnel is up?) i dont know why maybe the problem could be there?
Likely this can cause the problem. Interfaces (XFRM) should be up, if the tunnel is up. Maybe you have to restart the tunnel and check. Are you running a recent firmware version?
Hi Luca, solved with delete and recreate the tunnelinterface, now they are neighbors, the strange thing that i cannot see the networks announced from both:
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd11.11.11.11 4 65533 7 8 0 0 0 00:04:59 0
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd22.22.22.22 4 65534 7 9 0 0 0 00:05:30 0
trying to enable the "disable-connected-check" command I can see the neighbor's networks but when I set maxim-paths to 255 or 20 these networks disappear, is there a way to make them give the correct maximu path?
Hi all, i resolved the problem,your documentation lacks some bgp parameters to add. You can close the ticket.Greetings
Valerio,I have the same problem.What did you do to resolve?Regards
My config:BObgp# sh runCurrent configuration:!hostname bgplog stdout!router bgp 5001 bgp router-id PublicIP network 172.25.10.0/24 neighbor 10.0.0.1 remote-as 5000 neighbor 10.0.0.2 remote-as 5000 maximum-paths 2!line vty no login!end----------------HObgp# sho runCurrent configuration:!hostname bgplog stdout!router bgp 5000 bgp router-id PubliIP network 172.21.10.0/24 neighbor 10.0.0.5 remote-as 5001 neighbor 10.0.0.6 remote-as 5001 maximum-paths 2!line vty no login!end-----VPN IPSEC UP ... Configured xfrm interface, using /30.
Birules so did you solved? thank you