Setup XG to AWS VPN with IPSec and BGP?

I'm a consultant and have 3 SG devices in the field with mesh VPN's and AWS tunnels.  Went to buy a new one for a new site and got the XG (wasn't quite aware of the stark differences at the time).  After much time spent, below is what I received from sophos support regarding what you are asking. (I ended up going back to SG, XG isn't ready for prime time yet)

Hello Kyle

Currently the XG Firewall is not yet available in the AWS Marketplace but they are already in the planning stage of adding it though I cannot provide any ETA as to when exactly it will be available.

Thanks!

Regards,

Lucky La Torre

Sophos Technical Support

I followed Gary's instructions to the T and could never get anything to come up.  Sophos's offical answer is the XG doesnt support Amazon tunnels yet so their support will not help.  I'm skeptical Gary got it working because i've spent so many hours pulling my hair out of this one i gave up. If else has please respond for my sanity.

Not supporting AWS yet seems like a cop out, this is a standardised technology. The automated connection that came with UTM 9 is great but it should be possible to do this manually until that feature comes to XG.

IT WORKS!

After upgrading to v16 I now have a connection and packets are flowing! 

James, 

I'm in a similar situation connecting the XG to Amazon VPC via VPN.  My vpn connects but no traffic.  Did you need to set up any static routes, any set up outside the VPN config? (I'm on v16)

Thanks, 

John

Hi John

Sorry for not getting back sooner. I have added the static route for the tunnel via the CLI.

e.g. system ipsec_route add net 192.168.100.0/255.255.255.0 tunnelname XGAtoXGB

This thread goes into a bit more detail community.sophos.com/.../html5-vpn-how-to-access-ressources-behind-ipsec-tunnel

no luck with that.  I'm finally at a L2 support and still no progress.  Any ideas are much appreciated. thanks!

Did you guys ever get this?  I have this setup:

Amazon Network VPC - 172.31.0.0/16

Local Network XG 85 latest firmware 192.168.90.0/24 (Firewall 192.168.90.1)

Setup Static IPSec to Amazon - It connects no problem

Then added:

system ipsec_route add net 172.31.0.0/255.255.0.0 tunnelname VPNtoAmazon
set advanced-firewall sys-traffic-nat add destination 172.31.0.0 netmask 255.255.0.0 snatip 192.168.90.1

I get no traffic either way.

Checked routing tables on amazon and firewall rules.  I fired up an EC2 Windows Server 2016 box and tried to ping both ways and get nothing.

I have a support ticket opened with Sophos.

No, I still have an ongoing ticket with support. 

Hmm...ok.  Thanks for the update.  I was thinking about trying the setup again because I see the XG now supports BGP under routing so maybe we don't need to do a static route.

yeah, that's what I thought too but we haven't been able to get that to work either.  So if you get it working let me know!

yeah, that's what I thought too but we haven't been able to get that to work either.  So if you get it working let me know!

For a static configuration do I need to do anything with the Inside IP Addresses in the config file?

They gave me the following:

Outside IP Addresses:
- Customer Gateway : 107.203.X.X
- Virtual Private Gateway : 52.70.X.X

Inside IP Addresses
- Customer Gateway : 169.254.X.X/30
- Virtual Private Gateway : 169.254.X.X/30

Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes

#4: Static Routing Configuration:

To route traffic between your internal network and your VPC,
you will need a static route added to your router.

Static Route Configuration Options:

- Next hop : 169.254.X.X

For Policy I used the AWS IPSec VPN Policy I created.

Then I set the Local ID to the Customer Gateway (My ip address) and under remote I added the internal lan on the amazon side of 172.31.0.0/255.255.0.0 and the remote ID of 52.70.X.X.

Under Enpoint Details (local*) I put again my local external IP Address which is set to Port 2 and then for remote I put 52.70.X.X and then I ran this rule through the console.

system ipsec_route add net 172.31.0.0/255.255.0.0 tunnelname VPNtoAmazon
set advanced-firewall sys-traffic-nat add destination 172.31.0.0 netmask 255.255.0.0 snatip 192.168.90.1

but no where do I use the 169.254.X.X addresses.  Do I need to set a route somewhere using those?