AWS tunnels and bgp

Hi Jack Burghardt 

Please refer the article for IPsec Tunnel - https://community.sophos.com/kb/en-us/133057

For BGP, please refer - https://community.sophos.com/kb/en-us/132891

Looks like two devices cant connect

20/01/25 22:27:26 BGP: 169.254.247.153 [FSM] Timer (connect timer expire)
2020/01/25 22:27:26 BGP: 169.254.247.153 [FSM] ConnectRetry_timer_expired (Active->Connect)
2020/01/25 22:27:26 BGP: 169.254.247.153 [Event] Connect start to 169.254.247.153 fd 11
2020/01/25 22:27:26 BGP: 169.254.247.153 [FSM] Non blocking connect waiting result
2020/01/25 22:27:26 BGP: 169.254.247.153 went from Active to Connect
2020/01/25 22:27:26 BGP: 169.254.247.153 [Event] Connect failed (Operation now in progress)
2020/01/25 22:27:26 BGP: 169.254.247.153 [FSM] TCP_connection_open_failed (Connect->Active)
2020/01/25 22:27:26 BGP: 169.254.247.153 went from Connect to Active
2020/01/25 22:27:34 BGP: Import timer expired.
2020/01/25 22:27:49 BGP: Import timer expired.
2020/01/25 22:27:57 BGP: 169.254.152.181 [FSM] Timer (connect timer expire)
2020/01/25 22:27:57 BGP: 169.254.152.181 [FSM] ConnectRetry_timer_expired (Active->Connect)
2020/01/25 22:27:57 BGP: 169.254.152.181 [Event] Connect start to 169.254.152.181 fd 11
2020/01/25 22:27:57 BGP: 169.254.152.181 [FSM] Non blocking connect waiting result
2020/01/25 22:27:57 BGP: 169.254.152.181 went from Active to Connect
2020/01/25 22:27:57 BGP: 169.254.152.181 [Event] Connect failed (Operation now in progress)
2020/01/25 22:27:57 BGP: 169.254.152.181 [FSM] TCP_connection_open_failed (Connect->Active)
2020/01/25 22:27:57 BGP: 169.254.152.181 went from Connect to Active
2020/01/25 22:28:04 BGP: Import timer expired.
2020/01/25 22:28:16 BGP: Performing BGP general scanning
2020/01/25 22:28:16 BGP: scanning IPv4 Unicast routing tables
2020/01/25 22:28:19 BGP: Import timer expired.
2020/01/25 22:28:27 BGP: 169.254.118.153 [FSM] Timer (connect timer expire)
2020/01/25 22:28:27 BGP: 169.254.118.153 [FSM] ConnectRetry_timer_expired (Active->Connect)
2020/01/25 22:28:27 BGP: 169.254.118.153 [Event] Connect start to 169.254.118.153 fd 11
2020/01/25 22:28:27 BGP: 169.254.118.153 [FSM] Non blocking connect waiting result
2020/01/25 22:28:27 BGP: 169.254.118.153 went from Active to Connect
2020/01/25 22:28:27 BGP: 169.254.118.153 [Event] Connect failed (Operation now in progress)
2020/01/25 22:28:27 BGP: 169.254.118.153 [FSM] TCP_connection_open_failed (Connect->Active)
2020/01/25 22:28:27 BGP: 169.254.118.153 went from Connect to Active
2020/01/25 22:28:34 BGP: Import timer expired.

My configuration file what am I missing ?

bgp multiple-instance
!
router bgp 65000
bgp router-id XX.XX.XX.XX 
network 169.254.118.152/30
network 169.254.152.180/30
network 169.254.247.152/30
network 169.254.253.44/30
network 172.16.0.0/24
network 172.16.30.0/24
network 192.168.0.0/24
network 192.168.1.0/24
timers bgp 10 30
neighbor 169.254.118.153 remote-as 64512
neighbor 169.254.118.153 update-source XX.XX.XX.XX
neighbor 169.254.118.153 advertisement-interval 60
neighbor 169.254.118.153 timers 10 30
neighbor 169.254.118.153 default-originate
neighbor 169.254.152.181 remote-as 64512
neighbor 169.254.152.181 update-source XX.XX.XX.XX
neighbor 169.254.152.181 advertisement-interval 60
neighbor 169.254.152.181 timers 10 30
neighbor 169.254.152.181 default-originate
neighbor 169.254.247.153 remote-as 64512
neighbor 169.254.247.153 update-source XX.XX.XX.XX
neighbor 169.254.247.153 advertisement-interval 60
neighbor 169.254.247.153 timers 10 30
neighbor 169.254.247.153 default-originate
neighbor 169.254.253.45 remote-as 64512
neighbor 169.254.253.45 update-source XX.XX.XX.XX
neighbor 169.254.253.45 advertisement-interval 60
neighbor 169.254.253.45 timers 10 30
neighbor 169.254.253.45 default-originate
maximum-paths 4
!
route-map aws permit 10
!
line vty
no login
!
end

My configuration file what am I missing ?

bgp multiple-instance
!
router bgp 65000
bgp router-id XX.XX.XX.XX 
network 169.254.118.152/30
network 169.254.152.180/30
network 169.254.247.152/30
network 169.254.253.44/30
network 172.16.0.0/24
network 172.16.30.0/24
network 192.168.0.0/24
network 192.168.1.0/24
timers bgp 10 30
neighbor 169.254.118.153 remote-as 64512
neighbor 169.254.118.153 update-source XX.XX.XX.XX
neighbor 169.254.118.153 advertisement-interval 60
neighbor 169.254.118.153 timers 10 30
neighbor 169.254.118.153 default-originate
neighbor 169.254.152.181 remote-as 64512
neighbor 169.254.152.181 update-source XX.XX.XX.XX
neighbor 169.254.152.181 advertisement-interval 60
neighbor 169.254.152.181 timers 10 30
neighbor 169.254.152.181 default-originate
neighbor 169.254.247.153 remote-as 64512
neighbor 169.254.247.153 update-source XX.XX.XX.XX
neighbor 169.254.247.153 advertisement-interval 60
neighbor 169.254.247.153 timers 10 30
neighbor 169.254.247.153 default-originate
neighbor 169.254.253.45 remote-as 64512
neighbor 169.254.253.45 update-source XX.XX.XX.XX
neighbor 169.254.253.45 advertisement-interval 60
neighbor 169.254.253.45 timers 10 30
neighbor 169.254.253.45 default-originate
maximum-paths 4
!
route-map aws permit 10
!
line vty
no login
!
end

I would recommend to switch to V18 (EAP) and try the Route based VPN tunnel. 

Should be way easier to implement this kind of tunnel. 

If so, please report your success story to the EAP Forum! https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/

I am using 18 allready I am not sure if I am missing routes for aws tunnels in my routing tables I see ipsec0 for both subsets going to  my  two aws instances  any help will be appreciated

Did you choose "Tunnel Interface" instead of Site to Site in Ipsec config? 

This will connect a Tunnel Interface.

In Interfaces, you should see a XFRM Interface. 

Thank you for your help changing to tuner interface worker. How do i stop my router from advertising default route to aws ? I like sophos firewall more and more

You need to be careful in your BGP Configuration. 

Would advice you to take a look at BGP configuration guides. 

Thats most likely something in your BGP configuration (assume something like Default-originate set for BGP).