* This post may have affiliate links. Please see my disclosure
This article describes the steps of how to add Sophos XG IPsec route to OSPF routing without GRE Tunnel
Have you come across a scenario with a policy-based Site 2 Site IPsec tunnel between Sophos XG and a remote office (either Sophos Firewall or another technology), where you need to add IPsec routes from the traffic selector that are permitted through the associated SA into OSPF routing?
Well, you might say that the scenario is totally doable by following the steps provided in this KB article “Sophos XG Firewall: How to configure OSPF over IPsec VPN”, which is absolutely fine and achievable.
This topic became a trending topic among my co-worker’s Microsoft teams discussion, what would be the alternative way to make this change in an easy way that doesn’t require a GRE tunnel, to add any new Ipsec routes to bet redistributed via OSPF.
Before we move on with the next steps, as a matter of clarification, is important to reinforce that by default Sophos XG only redistribute the following types of routes:
- Connected networks
- Static routes
- RIP routes
- BGP routes
Enable Redistribution Kernel Routing in OSPF Config on Sophos XG firewall
Luckily Sophos XG Firewall adheres to Cisco terminology for routing configuration and provides a Cisco compliant CLI to configure static routes and dynamic routing protocols, which gives us the possibility to also enable the option to redistribute kernel routes.
NOTE: Full Sophos CLI documentation can be found here
With these settings in place, you are not ready yet as IPsec routes are not automatically installed into the kernel FIB (Forwarding information base), note the output of the ” Ip route” command, you will not see any line with the remote SA 192.168.187.0/24
Add IPsec0 route into the main Kernel Routing table
In order to add the Ipsec0 route into the main kernel routing table, it will be necessary to input the following command line via the console panel
Console> system ipsec_route add net <0.0.0.0/255.255.255.0> tunnelname <tunelname>
Note that after this the ipsec0 route started to show on the list:
- More Sophos Article related:
How to Install Sophos XG in Proxmox VE for Lab Environment
The netstart -nr also shows the kernel IP routing table
With those settings done, the XG will become able to redistribute all the kernel routings across the OSPF area. For any future need, will only be required the XG’s administrator add the static entry : console> system ipsec_route add net <0.0.0.0/255.255.255.0> tunnel name <tunelname>
And all routes will get the IPsec network into the ospf route database:
Router 1 output of the command “ show ip ospf database”
I personally think this approach is an excellent way to get the IPsec routes to be added to the OSPF distribution database.
I would like to make a huge shout-out to my friend and former co-worker Luiz Camilo, who was the one who came up with this setup solution during the discussion about this scenario, thanks a lot, for share this with me and allow them to share it with my readers.
I hope this was helpful for you. Don’t hesitate to leave any comments.