Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 27 replies
  • Answers 2 answers
  • Subscribers 36 subscribers
  • Views 92543 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup XG to AWS VPN with IPSec and BGP?

GaryChancellor

For UTM, when creating a VPN with AWS, you can download and XML config file and use it to create the VPN definition in UTM, is there a similar feature for XG? I doesn't seem like XG has all of the same functionality to handle the BGP routing? I can't seem to get my Office to AWS IPSec VPN to work based on the instructions in AWS or the instructions in XG (which are extremely sparse).



This thread was automatically locked due to age.
  • 0

    I'm a consultant and have 3 SG devices in the field with mesh VPN's and AWS tunnels.  Went to buy a new one for a new site and got the XG (wasn't quite aware of the stark differences at the time).  After much time spent, below is what I received from sophos support regarding what you are asking. (I ended up going back to SG, XG isn't ready for prime time yet)

    Hello Kyle

    Currently the XG Firewall is not yet available in the AWS Marketplace but they are already in the planning stage of adding it though I cannot provide any ETA as to when exactly it will be available.

    Thanks!

    Regards,

    Lucky La Torre

    Sophos Technical Support

  • 0 in reply to KyleWood
    Kyle,

    Thanks for the feedback. I was aware that the AWS version of XG was not available. However, I am trying to setup an on-premise XG to AWS VPN. FOR UTM/SG you can download the AWS config file and import it to create the VPN in SG/UTM but in XG I have not found a similar feature. I should probably notify Amazon update their compatibility list to be clear that it does not include XG.

    Regards,
    Gary
  • 0 in reply to GaryChancellor
    The amazon config download does specify that it is the "UTM v9".
  • 0 in reply to KyleWood
    This might help, it's a generic config example, without the use of BGP.

    docs.aws.amazon.com/.../GenericConfigNoBGP.html
  • 0 in reply to KyleWood
    Thanks for your help. I used the generic and got VPN running and connected. Then I ran into a bunch of routing issues courtesy of my ISP. I bounced back and forth on NoBGP and BGP trying to deal with it. I found the settings for VPN routes from the console and tried to set it that way. The problem is my ISP is also forwarding routes to their private IP address space that overlap with my Amazon VPC address space.
  • 0 in reply to GaryChancellor

    Gary,

    How did you setup the tunnel interface on the XG?

  • 0 in reply to MattTeagarden

    I set up the Amazon side as generic, downloaded the instructions file and then setup the Sophos XG IPSec connection with the details from Amazon. When you activate it, it creates the tunnel interface in the ipsec. 

  • 0 in reply to GaryChancellor

    Gary, 

    i have followed your instructions on this and still cannot get it to work.  Sophos official response to my support ticket was:

    " I was able to verify this with our IaaS team and at this point we do not have any documentation that will help us in configuring a VPC tunnel to connect to your XG Firewall using a generic AWS config file as XG is not yet a supported platform. Also there is no option on XG to upload the generic config unlike our Sophos UTM 9."

    But you said you got it to work.  did you get it to work with or without BGP?  You mentioned you had to add static routes to your XG via console?  can you share what you did? Any screenshots or detailed setup instructions you could provide would be super helpful.

  • 0 in reply to BlakeWeaver

    Blake,

    Sorry I took a bit to respond.

    Here is what I did. I did not use BGP.

    In AWS, I

    1) created a Customer Gateway (CG) with the public static IP address of my XG FW. I used the default settings.

    2) created a Virtual Private Gateway (VPG) and attached it to my VPC

    3) created a VPN Connection with the VPG and CG with static routing. 

    4) Downloaded the VPN Connection using the Generic/Generic/Vendor Agnostic format. It downloads as a text file and has the generated shared secret and the connection protocol settings in it.

    I created a new IPSec policy for AWS under Objects->Policies->IPSec.

    Then I created an IPSec connection in XG (System->VPN->IPSec) using the Initiate, connection type Site-To-Site, the "AWS IPSec VPN" policy created above, provided the shared key and remote IP address from the downloaded VPN connection information file from AWS, and defined a local subnet to remote LAN network mapping.

    I then activated and started the connection. Both sides had a connection.

    However, I ran into a number of problems. The biggest was my ISP (Cox) advertised routes to their private 10.x.x.x address space that I was using for AWS. My project was a short timeline, so I opted to drop the AWS effort.

    I hope this helps.

    Regards,

    Gary

  • 0 in reply to GaryChancellor

    Thanks Gary, I've used your method and been able to get the tunnel to connect (both ends show connection) but then I can't get any traffic through it. Packet capture shows packets being sent to the correct interface (ipsec0) but then there is no response. Has anyone been able to get further than this?

    Regards

    James