Video on how to configure OSPF across an IPSEC Tunnel on the Sophos XG

I finally got it fixed. My issue was routing priority.

By default XG (17.0.8MR8) is using the following routing precedence:

1. Policy routes
2. VPN routes
3. Static routes

I went into the CLI used option 4 to get to the console and then changed the precedence with: 

console> system route_precedence set vpn policyroute static

I'm now seeing ESP traffic in wireshark and no HTTP traffic when accessing the webserver from my client

UPDATE:

I give up.. the traffic was unencrypted again after a reboot of the XG appliances.... RED tunnels seems like the only option

I finally got it fixed. My issue was routing priority.

By default XG (17.0.8MR8) is using the following routing precedence:

1. Policy routes
2. VPN routes
3. Static routes

I went into the CLI used option 4 to get to the console and then changed the precedence with: 

console> system route_precedence set vpn policyroute static

I'm now seeing ESP traffic in wireshark and no HTTP traffic when accessing the webserver from my client

UPDATE:

I give up.. the traffic was unencrypted again after a reboot of the XG appliances.... RED tunnels seems like the only option

Hi Kenneth,

Here's what we did (although we're using iBGP instead of OSPF)

-Using the Public IPs as local and remote networks in the ipsec config(just like in the KB), use the GRE IPs as local and remote networks in ipsec and finally use the subnets at each site in the ipsec config. You need all three(or more if you have more than one local subnet on each side.)

So at the end of the day you'll have at least three definitions for local and remote sides(wan ip's, GRE endpoints, and finally each sites subnets you want to talk back and forth)

-Scott

Hi Scott,

I will give it a try today :-) But are you sure the routing is carried over iBGP in your example and not because of you adding the networks in the IPSec config? The reason i wanted to use a dynamic routing protocol in the first place was because of the benefits of dynamic routing and not having to configure all the networks in the IPSec config

UPDATE:

I made a factory reset of both XG Appliances (testing environment) and then followed the KB again. But this time i added both WAN and GRE ip in the IPSec local trusted network and remote trusted network and the wireshark pc is now showing ESP packages instead of the ICMP and HTTP traffic i use for testing. BUT rebooting the appliances makes the traffic unencrypted again. It seems like the GRE is coming up before the IPSec tunnel and then the traffic goes over that instead of IPSec

UPDATE2:

Adding the local and remote networks as well to IPSec didn't make any difference

Hello Kenneth,

Just saw the messages. Are you particularly looking to use iBGP or any dynamic routing protocol? 

Thanks.

Hi David,

OSPF is my preferred protocol in this test. But I'm willing to test iBGP if that works

"But are you sure the routing is carried over iBGP in your example and not because of you adding the networks in the IPSec config?"

Yeah, routing is carried over iGBP, I can see all the BGP routes populate in the information tab under BGP screen after it gets it routing table pushed to it(takes a couple minutes). In my case the other side of the connection is a Cisco router.

You didn't create any GRE routes by chance ?  We don't have any GRE routes in place in our setup on the Sophos.  We also didn't change the routing order preference either.

-Scott

Thank you for you answer Scott,

I can see the same with OSPF without putting the subnets in the IPSec config.

Nope, I have only created a Point-to-Point GRE tunnel.

I made a factory reset yesterday when trying your suggestions, so my routing preference is in default order now

Hi Kenneth

I have the same case and actually the traffic via IPsec tunnel don't encrypted.

Description my case:

- Using OSPF via IPsec Tunnels between HO and Brach site (both of SophosXG)

- I have following the KB https://community.sophos.com/kb/en-us/131827

So I have some question about this KB and hope you can help me:

- Do you know how to set the subnet mask for GRE tunnel ?, seem the GRE tunnel using the default mask by the class

- Up to date, Have any solution to fix unencrypted via IPsec or RED tunnels is the best choice ?

- In my topology; the sophos at HO site will be using default original-information for default route to Sophos-Brach to learn ? But seem the Sophos-Brach alway prefer the defaultGW of WAN Link over OSPF, can you know how to fix it ?

Thank so much

Hi Gecko,

I had the same experience initially, but eventually got it working and saw only ESP packages until i did a reboot of the appliances, then the traffic showed up as unencrypted again.

-There's to my experience, no way to set the subnet mask for the GRE tunnel.

-OSPF over RED is working fine and GRE isn't needed since you get an interface to do the routing on. IPSec on the other hand is broken until we see the issue number from my previous post as fixed in the changelog. I hope they will fix it in one of the next releases, cause it's a serious security issue.

-I have never tried that, so you're on your own on that one. But have you looked here?

Hi Kenneth

Thank you for your respone

-There's to my experience, no way to set the subnet mask for the GRE tunnel.

=> ok, I got it

-OSPF over RED is working fine and GRE isn't needed since you get an interface to do the routing on. IPSec on the other hand is broken until we see the issue number from my previous post as fixed in the changelog. I hope they will fix it in one of the next releases, cause it's a serious security issue.

=> Ok, I got it

-I have never tried that, so you're on your own on that one. But have you looked here?

=> Yes, I mean the Sophos_Branch have learn default roue over OSPF well (the default route show in OSPF routing table) but when I try connect to Internet from PC-Branch and the traffic alway using defaultGW of WAN link instead of OSPF.

My case is all traffic will focus to HO, not go though direct from local site.

And you have set the default-information originate on your HQ site? 

It should be straight forward when looking at this article https://www.cisco.com/c/en/us/support/docs/ip/open-shortest-path-first-ospf/47868-ospfdb9.html

Routing order in SFOS is the following:

Kernel Routing:

1. Local Connected Networks
2. Dynamic Routing Protocols

XG Routing (you can change the precedence of these three):

1. Policy Routes
2. VPN Routes
3. Static Routes

Could it be the Masquerading in your firewall rule that makes the traffic leave the local interface? I will have to play around with it next week if you need more help