Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 27 replies
  • Answers 2 answers
  • Subscribers 36 subscribers
  • Views 92518 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup XG to AWS VPN with IPSec and BGP?

GaryChancellor

For UTM, when creating a VPN with AWS, you can download and XML config file and use it to create the VPN definition in UTM, is there a similar feature for XG? I doesn't seem like XG has all of the same functionality to handle the BGP routing? I can't seem to get my Office to AWS IPSec VPN to work based on the instructions in AWS or the instructions in XG (which are extremely sparse).



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to MattTeagarden

    I set up the Amazon side as generic, downloaded the instructions file and then setup the Sophos XG IPSec connection with the details from Amazon. When you activate it, it creates the tunnel interface in the ipsec. 

  • 0 in reply to GaryChancellor

    Gary, 

    i have followed your instructions on this and still cannot get it to work.  Sophos official response to my support ticket was:

    " I was able to verify this with our IaaS team and at this point we do not have any documentation that will help us in configuring a VPC tunnel to connect to your XG Firewall using a generic AWS config file as XG is not yet a supported platform. Also there is no option on XG to upload the generic config unlike our Sophos UTM 9."

    But you said you got it to work.  did you get it to work with or without BGP?  You mentioned you had to add static routes to your XG via console?  can you share what you did? Any screenshots or detailed setup instructions you could provide would be super helpful.

  • 0 in reply to BlakeWeaver

    Blake,

    Sorry I took a bit to respond.

    Here is what I did. I did not use BGP.

    In AWS, I

    1) created a Customer Gateway (CG) with the public static IP address of my XG FW. I used the default settings.

    2) created a Virtual Private Gateway (VPG) and attached it to my VPC

    3) created a VPN Connection with the VPG and CG with static routing. 

    4) Downloaded the VPN Connection using the Generic/Generic/Vendor Agnostic format. It downloads as a text file and has the generated shared secret and the connection protocol settings in it.

    I created a new IPSec policy for AWS under Objects->Policies->IPSec.

    Then I created an IPSec connection in XG (System->VPN->IPSec) using the Initiate, connection type Site-To-Site, the "AWS IPSec VPN" policy created above, provided the shared key and remote IP address from the downloaded VPN connection information file from AWS, and defined a local subnet to remote LAN network mapping.

    I then activated and started the connection. Both sides had a connection.

    However, I ran into a number of problems. The biggest was my ISP (Cox) advertised routes to their private 10.x.x.x address space that I was using for AWS. My project was a short timeline, so I opted to drop the AWS effort.

    I hope this helps.

    Regards,

    Gary

  • 0 in reply to GaryChancellor

    Thanks Gary, I've used your method and been able to get the tunnel to connect (both ends show connection) but then I can't get any traffic through it. Packet capture shows packets being sent to the correct interface (ipsec0) but then there is no response. Has anyone been able to get further than this?

    Regards

    James

  • 0 in reply to JamesFleck

    I followed Gary's instructions to the T and could never get anything to come up.  Sophos's offical answer is the XG doesnt support Amazon tunnels yet so their support will not help.  I'm skeptical Gary got it working because i've spent so many hours pulling my hair out of this one i gave up. If else has please respond for my sanity.

  • 0 in reply to BlakeWeaver

    Not supporting AWS yet seems like a cop out, this is a standardised technology. The automated connection that came with UTM 9 is great but it should be possible to do this manually until that feature comes to XG.

  • 0 in reply to JamesFleck

    IT WORKS!

    After upgrading to v16 I now have a connection and packets are flowing! 

  • 0 in reply to JamesFleck

    James, 

    I'm in a similar situation connecting the XG to Amazon VPC via VPN.  My vpn connects but no traffic.  Did you need to set up any static routes, any set up outside the VPN config? (I'm on v16)

    Thanks, 

    John

  • 0 in reply to john glick

    Hi John

    Sorry for not getting back sooner. I have added the static route for the tunnel via the CLI.

    e.g. system ipsec_route add net 192.168.100.0/255.255.255.0 tunnelname XGAtoXGB

     

    This thread goes into a bit more detail community.sophos.com/.../html5-vpn-how-to-access-ressources-behind-ipsec-tunnel

  • 0 in reply to JamesFleck

    no luck with that.  I'm finally at a L2 support and still no progress.  Any ideas are much appreciated. thanks!