Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 27 replies
  • Answers 2 answers
  • Subscribers 36 subscribers
  • Views 92536 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup XG to AWS VPN with IPSec and BGP?

GaryChancellor

For UTM, when creating a VPN with AWS, you can download and XML config file and use it to create the VPN definition in UTM, is there a similar feature for XG? I doesn't seem like XG has all of the same functionality to handle the BGP routing? I can't seem to get my Office to AWS IPSec VPN to work based on the instructions in AWS or the instructions in XG (which are extremely sparse).



This thread was automatically locked due to age.
Parents
  • 0

    I'm a consultant and have 3 SG devices in the field with mesh VPN's and AWS tunnels.  Went to buy a new one for a new site and got the XG (wasn't quite aware of the stark differences at the time).  After much time spent, below is what I received from sophos support regarding what you are asking. (I ended up going back to SG, XG isn't ready for prime time yet)

    Hello Kyle

    Currently the XG Firewall is not yet available in the AWS Marketplace but they are already in the planning stage of adding it though I cannot provide any ETA as to when exactly it will be available.

    Thanks!

    Regards,

    Lucky La Torre

    Sophos Technical Support

  • 0 in reply to KyleWood
    Kyle,

    Thanks for the feedback. I was aware that the AWS version of XG was not available. However, I am trying to setup an on-premise XG to AWS VPN. FOR UTM/SG you can download the AWS config file and import it to create the VPN in SG/UTM but in XG I have not found a similar feature. I should probably notify Amazon update their compatibility list to be clear that it does not include XG.

    Regards,
    Gary
  • 0 in reply to KyleWood
    This might help, it's a generic config example, without the use of BGP.

    docs.aws.amazon.com/.../GenericConfigNoBGP.html
  • 0 in reply to KyleWood
    Thanks for your help. I used the generic and got VPN running and connected. Then I ran into a bunch of routing issues courtesy of my ISP. I bounced back and forth on NoBGP and BGP trying to deal with it. I found the settings for VPN routes from the console and tried to set it that way. The problem is my ISP is also forwarding routes to their private IP address space that overlap with my Amazon VPC address space.
  • 0 in reply to GaryChancellor

    Gary,

    How did you setup the tunnel interface on the XG?

  • 0 in reply to MattTeagarden

    I set up the Amazon side as generic, downloaded the instructions file and then setup the Sophos XG IPSec connection with the details from Amazon. When you activate it, it creates the tunnel interface in the ipsec. 

  • 0 in reply to GaryChancellor

    Gary, 

    i have followed your instructions on this and still cannot get it to work.  Sophos official response to my support ticket was:

    " I was able to verify this with our IaaS team and at this point we do not have any documentation that will help us in configuring a VPC tunnel to connect to your XG Firewall using a generic AWS config file as XG is not yet a supported platform. Also there is no option on XG to upload the generic config unlike our Sophos UTM 9."

    But you said you got it to work.  did you get it to work with or without BGP?  You mentioned you had to add static routes to your XG via console?  can you share what you did? Any screenshots or detailed setup instructions you could provide would be super helpful.

  • 0 in reply to BlakeWeaver

    Blake,

    Sorry I took a bit to respond.

    Here is what I did. I did not use BGP.

    In AWS, I

    1) created a Customer Gateway (CG) with the public static IP address of my XG FW. I used the default settings.

    2) created a Virtual Private Gateway (VPG) and attached it to my VPC

    3) created a VPN Connection with the VPG and CG with static routing. 

    4) Downloaded the VPN Connection using the Generic/Generic/Vendor Agnostic format. It downloads as a text file and has the generated shared secret and the connection protocol settings in it.

    I created a new IPSec policy for AWS under Objects->Policies->IPSec.

    Then I created an IPSec connection in XG (System->VPN->IPSec) using the Initiate, connection type Site-To-Site, the "AWS IPSec VPN" policy created above, provided the shared key and remote IP address from the downloaded VPN connection information file from AWS, and defined a local subnet to remote LAN network mapping.

    I then activated and started the connection. Both sides had a connection.

    However, I ran into a number of problems. The biggest was my ISP (Cox) advertised routes to their private 10.x.x.x address space that I was using for AWS. My project was a short timeline, so I opted to drop the AWS effort.

    I hope this helps.

    Regards,

    Gary

  • 0 in reply to GaryChancellor

    Thanks Gary, I've used your method and been able to get the tunnel to connect (both ends show connection) but then I can't get any traffic through it. Packet capture shows packets being sent to the correct interface (ipsec0) but then there is no response. Has anyone been able to get further than this?

    Regards

    James

  • 0 in reply to JamesFleck

    I followed Gary's instructions to the T and could never get anything to come up.  Sophos's offical answer is the XG doesnt support Amazon tunnels yet so their support will not help.  I'm skeptical Gary got it working because i've spent so many hours pulling my hair out of this one i gave up. If else has please respond for my sanity.

  • 0 in reply to BlakeWeaver

    Not supporting AWS yet seems like a cop out, this is a standardised technology. The automated connection that came with UTM 9 is great but it should be possible to do this manually until that feature comes to XG.

  • 0 in reply to JamesFleck

    IT WORKS!

    After upgrading to v16 I now have a connection and packets are flowing! 

Reply Children
  • 0 in reply to JamesFleck

    James, 

    I'm in a similar situation connecting the XG to Amazon VPC via VPN.  My vpn connects but no traffic.  Did you need to set up any static routes, any set up outside the VPN config? (I'm on v16)

    Thanks, 

    John

  • 0 in reply to john glick

    Hi John

    Sorry for not getting back sooner. I have added the static route for the tunnel via the CLI.

    e.g. system ipsec_route add net 192.168.100.0/255.255.255.0 tunnelname XGAtoXGB

     

    This thread goes into a bit more detail community.sophos.com/.../html5-vpn-how-to-access-ressources-behind-ipsec-tunnel

  • 0 in reply to JamesFleck

    no luck with that.  I'm finally at a L2 support and still no progress.  Any ideas are much appreciated. thanks!

  • 0 in reply to john glick

    Did you guys ever get this?  I have this setup:

    Amazon Network VPC - 172.31.0.0/16

    Local Network XG 85 latest firmware 192.168.90.0/24 (Firewall 192.168.90.1)

    Setup Static IPSec to Amazon - It connects no problem

    Then added:

    system ipsec_route add net 172.31.0.0/255.255.0.0 tunnelname VPNtoAmazon
    set advanced-firewall sys-traffic-nat add destination 172.31.0.0 netmask 255.255.0.0 snatip 192.168.90.1

    I get no traffic either way.

    Checked routing tables on amazon and firewall rules.  I fired up an EC2 Windows Server 2016 box and tried to ping both ways and get nothing.

    I have a support ticket opened with Sophos.

  • 0 in reply to JTK

    No, I still have an ongoing ticket with support. 

  • 0 in reply to john glick

    Hmm...ok.  Thanks for the update.  I was thinking about trying the setup again because I see the XG now supports BGP under routing so maybe we don't need to do a static route.

  • 0 in reply to JTK

    yeah, that's what I thought too but we haven't been able to get that to work either.  So if you get it working let me know!

  • 0 in reply to john glick

    For a static configuration do I need to do anything with the Inside IP Addresses in the config file?

    They gave me the following:

    Outside IP Addresses:
    - Customer Gateway : 107.203.X.X
    - Virtual Private Gateway : 52.70.X.X

    Inside IP Addresses
    - Customer Gateway : 169.254.X.X/30
    - Virtual Private Gateway : 169.254.X.X/30

    Configure your tunnel to fragment at the optimal size:
    - Tunnel interface MTU : 1436 bytes

    #4: Static Routing Configuration:

    To route traffic between your internal network and your VPC,
    you will need a static route added to your router.

    Static Route Configuration Options:

    - Next hop : 169.254.X.X

     

    For Policy I used the AWS IPSec VPN Policy I created.

    Then I set the Local ID to the Customer Gateway (My ip address) and under remote I added the internal lan on the amazon side of 172.31.0.0/255.255.0.0 and the remote ID of 52.70.X.X.

    Under Enpoint Details (local*) I put again my local external IP Address which is set to Port 2 and then for remote I put 52.70.X.X and then I ran this rule through the console.

    system ipsec_route add net 172.31.0.0/255.255.0.0 tunnelname VPNtoAmazon
    set advanced-firewall sys-traffic-nat add destination 172.31.0.0 netmask 255.255.0.0 snatip 192.168.90.1

    but no where do I use the 169.254.X.X addresses.  Do I need to set a route somewhere using those?