Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: How to configure BGP over RBVPN

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This recommended read describes configuring BGP routing over a Route-Based VPN (RBVPN) tunnel using the Sophos Firewall with SFOS version 18. This procedure will work between two Sophos Firewall devices and a third-party network device if it supports RBVPN.

Note: This article does not provide in-depth information regarding BGP, RBVPN, or firewall technologies. 

This applies to the following Sophos products and versions
Sophos Firewall version 18 and onwards

Scenario

Establish BGP routing via RBVPN tunnel between the Head Office (HO) and the Branch Office (BO).

Head Office (HO) configuration

The configurations provided here are just an example. You can configure it according to your organization's networks and requirements.

Configure the RBVPN tunnel

  • Go to VPN > IPsec connections. Under the IPsec Connections section, click Add and configure the RBVPN connection, as shown below.

    The Listening interface is the HO's WAN IP, and the Gateway address is the BO's WAN IP. For Version 19 onwards, go to CONFIGURE>Site-to-site VPN>Ipsec then click Add.


  • Click Save. The RBVPN will be automatically activated and will create an interface named xfrm followed by a number.
  • Go to Network > Interfaces and click the xfrm interface that was created. In this example, it’s xfrm6.
  • Enter the virtual IP address for this interface and then click Save.


  • Repeat the procedure above to create another RBVPN tunnel using the other WAN interfaces of the HO and BO, respectively. In this example, the other xfrm interface that was created is xfrm2.





    There should now be two RBVPN connections.

Configure the firewall rules

  1. Go to Rules and Policies> Firewall rules > Add firewall rule > New firewall rule. Configure the inbound firewall rule as shown below.

    For the Source networks and devices and Destination networks, enter the BO's LAN networks and the HO's LAN networks, respectively. You can also create host definitions by clicking Add new item.




  2. Click Save.
  3. Create another firewall rule for the outbound traffic, as shown below.

    For the Source networks and devices and Destination networks, enter the HO's LAN networks and the BO's LAN networks, respectively. You can also create host definitions by clicking Add new item.



  4. Click Save.

Configure the device access

  1. Go to Administration > Device access and enable Ping/Ping6 and Dynamic Routing for the VPN Zone.
  2. Click Apply.

Branch Office (BO) configuration

Configure the RBVPN tunnel

  1. Go to VPN > IPsec connections. Under the IPsec Connections section, click Add and configure the RBVPN connection, as shown below.

    The Listening interface is the BO's WAN IP, and the Gateway address is the HO's WAN IP. For Version 19 onwards, go to CONFIGURE>Site-to-site VPN>Ipsec, then click Add.



  2. Click Save. The RBVPN will be automatically activated and will create an interface named xfrm followed by a number.
  3. Go to Network > Interfaces and click the xfrm interface that was created. In this example, it is xfrm2.
  4. Enter the virtual IP address for this interface and then click Save.


  5. Repeat the procedure above to create another RBVPN tunnel using the other WAN interfaces of the HO and BO, respectively. In this example, the other xfrm interface that was created is xfrm1





    .There should now be two RBVPN connections.



Configure the firewall rules

  1. Go to Rules and Policies > Firewall rules > Add firewall rule > New firewall rule. Configure the inbound firewall rule as shown below.

    For the Source networks and devices and Destination networks, enter the HO's LAN networks and the BO's LAN networks, respectively. You can also create host definitions by clicking Add new item.



  2. Click Save.
  3. Create another firewall rule for the outbound traffic, as shown below.

    For the Source networks and devices and Destination networks, enter the BO's LAN networks and the HO's LAN networks, respectively. You can also create host definitions by clicking Add new item.



  4. Click Save.

Configure the device access

  1. Go to Administration > Device access and enable Ping/Ping6 and Dynamic Routing for the VPN Zone.
  2. Click Apply.

BGP configuration

Head office

  1. Go to Routing > BGP. Enter any IP for the Router ID and enter the Local AS of the HO. We'll use the HO's WAN IP as the Router ID in this example. Click Apply, then click OK when prompted.
  2. Under the Neighbors section, click Add. Enter the IP address of the BO's xfrm interfaces and AS number, and then click Save. Create another one for the other xfrm interface of the BO.

    BO xfrm1
    Parameter Value
    IPv4 address 4.4.4.5
    Remote AS 65520
    BO xfrm2
    Parameter Value
    IPv4 address 3.3.3.4
    Remote AS 65520
  3. Under the Networks section, click Add. Enter the HO's LAN and click Save.



Configure the maximum path

  1. Sign in to the HO's CLI and go to 3. Route Configuration > 1. Configure Unicast Routing > 3. Configure BGP.
  2. Run the following commands. Use the HO's AS number. The maximum paths can be configured according to your network requirements.

    bgp> enable
    bgp# configure terminal
    bgp(config)# router bgp <AS number>
    bgp(config-router)# maximum-paths <number>
    bgp(config-router)# write
    bgp(config-router)# exit
    bgp(config)# exit



  3. Verify the configuration by running the command show running-config.


Branch office

  1. Go to Routing > BGP. Enter any IP for the Router ID and enter the Local AS of the BO. We'll use the BO's WAN IP as the Router ID in this example. Click Apply, then click OK when prompted.
  2. Under the Neighbors section, click Add. Enter the IP address of the HO's xfrm interfaces and AS number, then click Save. Create another one for the other xfrm interface of the HO.

    HO xfrm2
    Parameter Value
    IPv4 address 4.4.4.4
    Remote AS 65510
    HO xfrm6
    Parameter Value
    IPv4 address 3.3.3.3
    Remote AS 65510
  3. Under the Networks section, click Add. Enter the BO's LAN and click Save.



Configure the maximum path

  1. Sign in to the BO's CLI and go to 3. Route Configuration > 1. Configure Unicast Routing > 3. Configure BGP.
  2. Run the following commands. Use the BO's AS number. The maximum paths can be configured according to your network requirements.

    bgp> enable
    bgp# configure terminal
    bgp(config)# router bgp <AS number>
    bgp(config-router)# maximum-paths <number>
    bgp(config-router)# write
    bgp(config-router)# exit
    bgp(config)# exit



  3. Verify the configuration by running the command show running-config.


Verification

RBVPN

  1. In the BO Sophos Firewall, go to VPN > IPsec connections and enable the created tunnels by clicking the red button under the Connection column. It should turn green, meaning that the RBVPN tunnels have been established. 

BGP

  1. Sign in to the CLI of the HO XG Firewall as an administrator.
  2. Select 3. Route Configuration > 1. Configure Unicast Routing > 2. Configure BGP.
  3. Enter the following commands:

    bgp> enable
    bgp# show ip bgp



    bgp# show ip bgp neighbors



    bgp# show ip bgp summary



  4. Go to 5. Device Management > 3. Advanced Shell.
  5. Enter the following command to see that the routes have been advertised.

    route



  6. BGP can also be verified in the Webadmin by going to Routing > Information.

Traffic flow

  1. Go to Diagnostics > Packet capture from the HO XG Firewall and click Configure.
  2. Enter the following as the BPF string, then turn ON the packet capture.

    host 192.20.20.2 and proto ICMP

  3. From the host 192.20.20.2 in the Branch Office, ping the host 192.10.10.2 in the Head Office.



  4. The following will be displayed in the packet capture. It shows that the traffic is going in and out of the xfrm6 interface, the RBVPN tunnel. Traffic can also be checked in the Log Viewer.

 Related information




Added TAGs
[edited by: Raphael Alganes at 5:50 AM (GMT -7) on 17 Sep 2024]
  • Hello to all,
    I followed your configuration step by step but still does not see the session go up, it remains in ACTIVE, should I open some regular detail to let the neighboors communicate?
  • 2 Tunnel are same UP but cannot establish the peering.

    from one sophos:

    router bgp 64743
    bgp router-id  public_IP
    network 10.0.4.0/24
    neighbor 1.1.1.1 remote-as 64742
    maximum-paths 2

    Second Sophos:

    router bgp 64742
    bgp router-id Public_IP
    network 192.168.46.0/24
    neighbor 2.2.2.2 remote-as 64743
    maximum-paths 2

    Thanks

  • Hello Claudio,

    Thank you for contacting the Sophos Community.

    What does the /log/bgpd.log shows?

    Do you happen to have any static route pointing to the Public IP of the router(s)?

    What is the output of 

    bgp> enable
    bgp# show ip bgp

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello,

    Thanks for the reply, no static route.
    This are my logs:
    XG125_XN02_SFOS 18.5.1 MR-1-Build326# tail -f /log/bgpd.log
    2021/10/14 17:40:37 BGP: 2.2.2.2 [Event] Connect start to 2.2.2.2 fd 10
    2021/10/14 17:40:37 BGP: 2.2.2.2 [Event] Connect failed (Operation now in progress)
    2021/10/14 17:40:39 BGP: Import timer expired.
    2021/10/14 17:40:54 BGP: Import timer expired.
    2021/10/14 17:41:09 BGP: Import timer expired.
    2021/10/14 17:41:18 BGP: Performing BGP general scanning
    2021/10/14 17:41:18 BGP: scanning IPv4 Unicast routing tables
    2021/10/14 17:41:24 BGP: Import timer expired.
    2021/10/15 08:58:18 BGP: Vty connection from 127.0.0.1
    2021/10/15 08:58:18 BGP: ####Inside vty_create ()




    bgp# show ip bgp
    BGP table version is 0, local router ID is 185.43.150.248
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
    r RIB-failure, S Stale, R Removed
    Origin codes: i - IGP, e - EGP, ? - incomplete

    Network Next Hop Metric LocPrf Weight Path
    *> 1.1.1.0/24 0.0.0.0 0 32768 i
    *> 192.168.46.0 0.0.0.0 0 32768 i

    Total number of prefixes 2


    thanks I look forward to your feedback
  • You need a static routing point the firewall to the next hop. 

    __________________________________________________________________________________________________________________

  • Sorry Luca, but which static?do you mean static through the xfrm interface? THe IPsec Tunnel Interface is Up and running but neighbor is in active mode:

    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    22.22.22.22     4 65534       0       0        0    0    0 never    Active    

    
    
  • Yeah you need one route to the neighbor to indicate the way, if this is not present. 

    __________________________________________________________________________________________________________________

  • its already present 

    11.11.11.11/32 via xfrm2 and

    22.22.22.22/32  via xfrm4

    HO#  sh run

    Current configuration:
    !
    hostname HO
    log stdout
    !
    debug bgp events
    !
    router bgp 65533
     bgp router-id x.x.x.x
     network 10.10.10.0/24
     neighbor 22.22.22.22 remote-as 65534

    router bgp 65534
     bgp router-id  x.x.x.x
     network 10.0.4.0/24
     neighbor 11.11.11.11 remote-as 65533

    RIB entries 1, using 64 bytes of memory
    Peers 1, using 2484 bytes of memory

    Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
    11.11.11.11     4 65533       0       0        0    0    0 never    Active  

    But still in active mode

  • Another question: Could you try a static route with a gateway instead of an interface route? Not sure, if the peer will respond, if you simply blast it via XFRM4 out. Maybe you will need a a gateway address to respond to those packets. 

    __________________________________________________________________________________________________________________