Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 26 subscribers
  • Views 2092 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG not compatible with GCP HA CloudVPN?

Jeroen Jacobs

Hi,

 

I'm trying to setup IPSEC with GCP HA VPN. According to the documention, both traffic selectors (local and remote) should be set to 0.0.0.0/0 (which corresponds to ANY, I assume?).

This is not possible in Sophos XG, When local and remote selectors in the VPN config are set to "Any", it's impossible to save that configuration.

 

Relevant section from the GCP documentation:

 

"Use dynamic routing for the VPN tunnel. If your peer VPN gateway supports BGP, both local and remote traffic selectors for the VPN tunnel are 0.0.0.0/0 by definition. Routes are exchanged automatically between the peer VPN gateway and the Cloud Router associated with your Cloud VPN tunnel. If you can use dynamic routing, consider HA VPN."

 

And yes, I intend to use dynamic routing, so please don't suggest "don't use dynamic routing" as a solution ;-)

 



This thread was automatically locked due to age.
Parents
  • 0

    Hello Jeoren,

    Dynamic Routed IPSEC VPNs, aka route based ipsec vpns, are not compatible with the XG.

    The XG can only connect (some exceptions) and pass traffic in policy based ipsec vpn tunnels.

    So unfortunately, "don't use dynamic routing" is the only response available :(

    As far as I'm aware, this is the only supported method of connecting to GCP:

    I believe this will change in v18.

    Br

    Emile

  • 0 in reply to Emile Belcourt

    Thanks for your reply.

    That’s disappointing to hear :-/

    I used to own a cheap ubiquity router, which I used to connect to AWS IPSec vpn. Did dynamic bgp routing over IPSec just fine.

    I feel a bit frustrated that I spent money on a XG appliance, and get less functionality to my cheaper router.

    My own fault. Should have investigated this more, before buying it I guess...

  • 0 in reply to Jeroen Jacobs

    Hi Jeoroen,

    Less functionality in one area, more in another.

    There is technically systemic support for it because Charon IKEv2 is incorporated but as part of the Charon implementation the other routing and backen systems were not ready to support full BGP routing over IPSEC.

    V18 EAP is starting in the next month so you can quantify the status of the next version.

    Emile

  • 0 in reply to Emile Belcourt

    Hi,

     

    Currently got it working using "Classic" CloudVPN. I'll see what V18 brings in the future. My current license runs until Jan. 2020, I'll see how far Sophos XG has evolved by then.Since V18 will be a complete rewrite (if I understand correctly) I hope this will be solved.

    While I appreciate Sophos XG firewall and the insights it offers into my network, more enterprisy features like IPSec and BGP matter for a device that is being sold as a business-grade device.

Reply
  • 0 in reply to Emile Belcourt

    Hi,

     

    Currently got it working using "Classic" CloudVPN. I'll see what V18 brings in the future. My current license runs until Jan. 2020, I'll see how far Sophos XG has evolved by then.Since V18 will be a complete rewrite (if I understand correctly) I hope this will be solved.

    While I appreciate Sophos XG firewall and the insights it offers into my network, more enterprisy features like IPSec and BGP matter for a device that is being sold as a business-grade device.

Children