Sophos XG Firewall: How to configure BGP over RBVPN

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article describes the steps on how to configure BGP routing over a Route-Based VPN (RBVPN) tunnel using the Sophos XG Firewall with SFOS version 18. This procedure will work between two Sophos XG Firewall devices as well as with a third-party network device as long as it supports RBVPN.

Note: This article does not provide in-depth information regarding BGP, RBVPN, or firewall technologies.

 

Applies to the following Sophos products and versions
Sophos XG Firewall version 18

Scenario

Establish BGP routing via RBVPN tunnel between the Head Office (HO) and the Branch Office (BO).

Head Office (HO) configuration

The configurations provided here are just an example. You can configure according to your organization's networks and requirements.

Configure the RBVPN tunnel

  1. Go to VPN > IPsec connections. Under the IPsec Connections section, click Add and configure the RBVPN connection as shown below.

    The Listening interface is the HO's WAN IP and the Gateway address is the BO's WAN IP.



  2. Click Save. The RBVPN will be automatically activated and will create an interface named xfrm followed by a number.
  3. Go to Network > Interfaces and click on the xfrm interface that was created. In this example, it is xfrm6.
  4. Enter the virtual IP address for this interface and then click Save.


  5. Repeat the procedure above to create another RBVPN tunnel using the other WAN interfaces of the HO and BO respectively. In this example, the other xfrm interface that was created is xfrm2.





    There should now be two RBVPN connections.

Configure the firewall rules

  1. Go to Rules and policies > Firewall rules > Add firewall rule > New firewall rule. Configure the inbound firewall rule as shown below.

    For the Source networks and devices and Destination networks, enter the BO's LAN networks and the HO's LAN networks respectively. You can also create host definitions by clicking Add new item.




  2. Click Save.
  3. Create another firewall rule for the outbound traffic as shown below.

    For the Source networks and devices and Destination networks, enter the HO's LAN networks and the BO's LAN networks respectively. You can also create host definitions by clicking Add new item.



  4. Click Save.

Configure the device access

  1. Go to Administration > Device access and enable Ping/Ping6 and Dynamic Routing for the VPN Zone.
  2. Click Apply.

Branch Office (BO) configuration

Configure the RBVPN tunnel

  1. Go to VPN > IPsec connections. Under the IPsec Connections section, click Add and configure the RBVPN connection as shown below.

    The Listening interface is the BO's WAN IP and the Gateway address is the HO's WAN IP.



  2. Click Save. The RBVPN will be automatically activated and will create an interface named xfrm followed by a number.
  3. Go to Network > Interfaces and click on the xfrm interface that was created. In this example, it is xfrm2.
  4. Enter the virtual IP address for this interface and then click Save.


  5. Repeat the procedure above to create another RBVPN tunnel using the other WAN interfaces of the HO and BO respectively. In this example, the other xfrm interface that was created is xfrm1





    .There should now be two RBVPN connections.



Configure the firewall rules

  1. Go to Rules and policies > Firewall rules > Add firewall rule > New firewall rule. Configure the inbound firewall rule as shown below.

    For the Source networks and devices and Destination networks, enter the HO's LAN networks and the BO's LAN networks respectively. You can also create hosts definitions by clicking Add new item.



  2. Click Save.
  3. Create another firewall rule for the outbound traffic as shown below.

    For the Source networks and devices and Destination networks, enter the BO's LAN networks and the HO's LAN networks respectively. You can also create host definitions by clicking Add new item.



  4. Click Save.

Configure the device access

  1. Go to Administration > Device access and enable Ping/Ping6 and Dynamic Routing for the VPN Zone.
  2. Click Apply.

BGP configuration

Head office

  1. Go to Routing > BGP. Enter the HO's WAN IP as the Router ID and enter the Local AS of the HO. Click Apply and then click OK when prompted.
  2. Under the Neighbors section, click Add. Enter the IP address of the BO's xfrm interfaces and AS number and then click Save. Create another one for the other xfrm interface of the BO.

    BO xfrm1
    Parameter Value
    IPv4 address 4.4.4.5
    Remote AS 65520
    BO xfrm2
    Parameter Value
    IPv4 address 3.3.3.4
    Remote AS 65520
  3. Under the Networks section, click Add. Enter the HO's LAN and click Save.



Configure the maximum path

  1. Sign in to the HO's CLI and go to 3. Route Configuration > 1. Configure Unicast Routing > 3. Configure BGP.
  2. Run the following commands. Use the HO's AS number. The maximum-paths can be configured according to your network requirements.

    bgp> enable
    bgp# configure terminal
    bgp(config)# router bgp <AS number>
    bgp(config-router)# maximum-paths <number>
    bgp(config-router)# write
    bgp(config-router)# exit
    bgp(config)# exit



  3. Verify the configuration by running the command show running-config.


Branch office

  1. Go to Routing > BGP. Enter the BO's WAN IP as the Router ID and enter the Local AS of the BO. Click Apply and then click OK when prompted.
  2. Under the Neighbors section, click Add. Enter the IP address of the HO's xfrm interfaces and AS number and then click Save. Create another one for the other xfrm interface of the HO.

    HO xfrm2
    Parameter Value
    IPv4 address 4.4.4.4
    Remote AS 65510
    HO xfrm6
    Parameter Value
    IPv4 address 3.3.3.3
    Remote AS 65510
  3. Under the Networks section, click Add. Enter the BO's LAN and click Save.



Configure the maximum path

  1. Sign in to the BO's CLI and go to 3. Route Configuration > 1. Configure Unicast Routing > 3. Configure BGP.
  2. Run the following commands. Use the BO's AS number. The maximum-paths can be configured according to your network requirements.

    bgp> enable
    bgp# configure terminal
    bgp(config)# router bgp <AS number>
    bgp(config-router)# maximum-paths <number>
    bgp(config-router)# write
    bgp(config-router)# exit
    bgp(config)# exit



  3. Verify the configuration by running the command show running-config.


Verification

RBVPN

  1. In the BO XG Firewall, go to VPN > IPsec connections and then enable the created tunnels by clicking the red button under the Connection column. It should turn green, meaning that the RBVPN tunnels have been established.

BGP

  1. Sign in to the CLI of the HO XG Firewall as an administrator.
  2. Select 3. Route Configuration > 1. Configure Unicast Routing > 2. Configure BGP.
  3. Enter the following commands:

    bgp> enable
    bgp# show ip bgp



    bgp# show ip bgp neighbors



    bgp# show ip bgp summary



  4. Go to 5. Device Management > 3. Advanced Shell.
  5. Enter the following command to see that the routes have been advertised.

    route



  6. BGP can also be verified in the Webadmin by going to Routing > Information.

Traffic flow

  1. From the HO XG Firewall, go to Diagnostics > Packet capture and then click Configure.
  2. Enter the following as the BPF string and then turn ON the packet capture.

    host 192.20.20.2 and proto ICMP

  3. From the host 192.20.20.2 in the Branch Office, ping the host 192.10.10.2 in the Head Office.



  4. The following will be displayed in the packet capture. It shows that the traffic is going in and out of the xfrm6 interface which is the RBVPN tunnel. Traffic can also be checked in the Log Viewer.

 Related information



Modified the Disclaimer
[edited by: DominicRemigio at 7:14 AM (GMT -8) on 11 Mar 2021]
  • Hello to all,
    I followed your configuration step by step but still does not see the session go up, it remains in ACTIVE, should I open some regular detail to let the neighboors communicate?
  • 2 Tunnel are same UP but cannot establish the peering.

    from one sophos:

    router bgp 64743
    bgp router-id  public_IP
    network 10.0.4.0/24
    neighbor 1.1.1.1 remote-as 64742
    maximum-paths 2

    Second Sophos:

    router bgp 64742
    bgp router-id Public_IP
    network 192.168.46.0/24
    neighbor 2.2.2.2 remote-as 64743
    maximum-paths 2

    Thanks

  • Hello Claudio,

    Thank you for contacting the Sophos Community.

    What does the /log/bgpd.log shows?

    Do you happen to have any static route pointing to the Public IP of the router(s)?

    What is the output of 

    bgp> enable
    bgp# show ip bgp

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello,

    Thanks for the reply, no static route.
    This are my logs:
    XG125_XN02_SFOS 18.5.1 MR-1-Build326# tail -f /log/bgpd.log
    2021/10/14 17:40:37 BGP: 2.2.2.2 [Event] Connect start to 2.2.2.2 fd 10
    2021/10/14 17:40:37 BGP: 2.2.2.2 [Event] Connect failed (Operation now in progress)
    2021/10/14 17:40:39 BGP: Import timer expired.
    2021/10/14 17:40:54 BGP: Import timer expired.
    2021/10/14 17:41:09 BGP: Import timer expired.
    2021/10/14 17:41:18 BGP: Performing BGP general scanning
    2021/10/14 17:41:18 BGP: scanning IPv4 Unicast routing tables
    2021/10/14 17:41:24 BGP: Import timer expired.
    2021/10/15 08:58:18 BGP: Vty connection from 127.0.0.1
    2021/10/15 08:58:18 BGP: ####Inside vty_create ()




    bgp# show ip bgp
    BGP table version is 0, local router ID is 185.43.150.248
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
    r RIB-failure, S Stale, R Removed
    Origin codes: i - IGP, e - EGP, ? - incomplete

    Network Next Hop Metric LocPrf Weight Path
    *> 1.1.1.0/24 0.0.0.0 0 32768 i
    *> 192.168.46.0 0.0.0.0 0 32768 i

    Total number of prefixes 2


    thanks I look forward to your feedback