2

How to add Sophos XG IPsec route to OSPF routing without GRE Tunnel

* This post may have affiliate links. Please see my disclosure 

This article describes the steps of how to add Sophos XG IPsec route to OSPF routing without GRE Tunnel

Have you come across a scenario with a policy-based Site 2 Site IPsec tunnel between Sophos XG and a remote office (either Sophos Firewall or another technology), where you need to add IPsec routes from the traffic selector that are permitted through the associated SA into OSPF routing?

 

Sophos XG OSPF diagram

Well, you might say that the scenario is totally doable by following the steps provided in this KB article  “Sophos XG Firewall: How to configure OSPF over IPsec VPN”, which is absolutely fine and achievable.

This topic became a trending topic among my co-worker’s Microsoft teams discussion, what would be the alternative way to make this change in an easy way that doesn’t require a GRE tunnel, to add any new Ipsec routes to bet redistributed via OSPF.

Before we move on with the next steps, as a matter of clarification, is important to reinforce that by default Sophos XG only redistribute the following  types of routes:

  • Connected networks
  • Static routes
  • RIP routes
  • BGP routes

Enable Redistribution Kernel Routing in OSPF Config on Sophos XG firewall

Luckily Sophos XG Firewall adheres to Cisco terminology for routing configuration and provides a Cisco compliant CLI to configure static routes and dynamic routing protocols, which gives us the possibility to also enable the option to redistribute kernel routes.

NOTE: Full Sophos CLI documentation can be found here

With these settings in place, you are not ready yet as IPsec routes are  not automatically installed into the kernel FIB (Forwarding information base), note the output  of the ” Ip route” command, you will not see any line with the remote SA 192.168.187.0/24

Add IPsec0 route into the main Kernel Routing table

In order to add the Ipsec0 route into the main kernel routing table, it will be necessary to input the following command line via the console panel

Console> system ipsec_route add net <0.0.0.0/255.255.255.0> tunnelname <tunelname>

Note that after this the ipsec0 route started to show on the list:

The netstart -nr also shows the kernel IP routing table

 

With those settings done, the XG will become able to redistribute all the kernel routings across the OSPF area. For any future need, will only be required the XG’s administrator add the static entry : console> system ipsec_route add net <0.0.0.0/255.255.255.0> tunnel name <tunelname>

 

And all routes will get the IPsec network into the ospf route database:

 

Router 1 output of the command “ show ip ospf database”

Router 1 output

I personally think this approach is an excellent way to get the IPsec routes to be added to the OSPF distribution database. 

I would like to make a huge shout-out to my friend and former co-worker Luiz Camilo, who was the one who came up with this setup solution during the discussion about this scenario, thanks a lot, for share this with me and allow them to share it with my readers.

I hope this was helpful for you. Don’t hesitate to leave any comments. 

Juana Melo

I'm a self-taught security network engineer and blogger, sharing everything I'm learning along the way.

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *