Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 26 subscribers
  • Views 606 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to get AWS VPC to work on XG

Robert Hau

I am writing this because I found many people who can't get the AWS VPC to work on the XG like it used to work on UTM v9.

This document assumes you know how to do this on the UTM also.

1) Create the VPN on EC2. 

 a) make sure you disable all of the aes-128 AND ike1 when you create it.

2) download your config file for a generic 

3) Create a new policy

  a) make sure you match the rekey timers or the tunnels will bounce randomly.

4) Create the VPN in XG. Tunnel 1

  a) Connection Type = Tunnel Interface (VERY IMPORTANT)

  b) initiate the connection

  c) enter the preshared key from the config file. 

  d) Enter the Local gateway X.Y.Y.Y also enter it in the LocalID

  e) Enter the Remote gateway X.X.X.X also enter it in the LocalID

Outside IP Addresses:
- Customer Gateway : X.Y.Y.Y
- Virtual Private Gateway : X.X.X.X

f) Don't add any local subnets or remote subnets

g) click save.

5) Create the VPN in XG. Tunnel 2

  a) Connection Type = Tunnel Interface (VERY IMPORTANT)

  b) initiate the connection

  c) enter the preshared key from the config file. 

  d) Enter the Local gateway X.Y.Y.Y also enter it in the LocalID

  e) Enter the Remote gateway X.X.X.X also enter it in the LocalID

Outside IP Addresses:
- Customer Gateway : X.Y.Y.Y
- Virtual Private Gateway : X.X.X.X

f) Don't add any local subnets or remote subnets

g) click save.

6) Now here is the biggest part of this.

When you create the tunnel interfaces it will create a xfrm interface that is part of your wan address.

For each xfrm you need to enter the static address from your configuration file so. X.X.X.Y

Inside IP Addresses
- Customer Gateway : X.X.X.Y/30
- Virtual Private Gateway : Y.Y.Y.Y/30

Do this for both interface that have created.

7) First make sure you have dynamic routing enabled on the "VPN" interface - Administration - Device Access.

8) Go to Routing - BGP

a) Enter your wan ip in the router id

b) enter your local asn number that you provided aws in step 1

c) add each neighbor from step 6 Y.Y.Y.Y (you should have 2)

d) define your local networks so they don't prorogate over and back if you have multiple sites.

9) Start up your VPN

if all works well you should see your network come up and your dynamic routing is working again.



This thread was automatically locked due to age.