I need a help on how to configure BGP on sophos XG v17.5, IPsec site-to-site VPN has been established betwwen sophos and AWS but the BGP neighborship between AWS and Sophos status still show down
This thread was automatically locked due to age.
I need a help on how to configure BGP on sophos XG v17.5, IPsec site-to-site VPN has been established betwwen sophos and AWS but the BGP neighborship between AWS and Sophos status still show down
Hi Helix,
Thank you for reaching out to the Community!
You would have to configure a GRE tunnel and then an IPsec tunnel to route BGP traffic.
Check out the following KB Articles:
Thanks,
Route Based VPN is a other way of using IPsec. Its supported in V18. https://www.youtube.com/watch?v=o4NB1nHBOsE&ab_channel=SophosSupport
Azure and AWS VPN Gateways use this kind of technology to build up VPN tunnels. So you could use it to build up the IPsec to them.
Therefore you do not need to setup a GRE Tunnel, as VTIs will provide a XFRM (Virtual Interface) for you. This XFRM Interface can be used to bind BGP.
I have done this with Azure VPN, i guess ,this is most likely the same on AWS VPN. Its very easy to build, if you know how BGP works.
__________________________________________________________________________________________________________________
I have little understanding about BGP i dont know if you can help me out here.
I have my XG on v18 now, I have established the IPsec Tunnel and i have the XFRM interface
I have configured it with the BGP but the status on AWS still shows Down and from the BGP information on Sophos the neighbor status shows idle.
See attached screenshots of the configurations done.
Kindly assist Lucar
This will be complicate to explain, what to do.
So lets try it:
Check device access: VPN --> Dynamic Routing enabled?
Likely you got a IP and a AS from AWS, which you have to enter as a neighbor.Did you create a static route to this IP and used the XFRM Interface?
You have a neighbor of 80.5. This is your XFRM Interface. Are you sure, this is correct?
__________________________________________________________________________________________________________________
Dynamic Routing is enabled
i got IP and AS from AWS which i have configured below
regarding the IP to use for the XFRM interface i am not sure of the parameters to be inserted thats why i used the neighbor IP, I need a clarification on this
Actually you could use some other IPs in the XFRM Tunnel. Simply use something, which is not used in your network. Your config is invalid, you need to change the XFRM Interface IPs.
Then create a static route to both neighbors, using the XFRM matching interface.
__________________________________________________________________________________________________________________
The static route not accepted because the neighbors are seen as a link-local address 169.254.80.5
and moreover is static route needed?
Isn't that what BGP route is meant to achieve