Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 27 replies
  • Answers 2 answers
  • Subscribers 36 subscribers
  • Views 92543 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Setup XG to AWS VPN with IPSec and BGP?

GaryChancellor

For UTM, when creating a VPN with AWS, you can download and XML config file and use it to create the VPN definition in UTM, is there a similar feature for XG? I doesn't seem like XG has all of the same functionality to handle the BGP routing? I can't seem to get my Office to AWS IPSec VPN to work based on the instructions in AWS or the instructions in XG (which are extremely sparse).



This thread was automatically locked due to age.
  • 0 in reply to john glick

    For a static configuration do I need to do anything with the Inside IP Addresses in the config file?

    They gave me the following:

    Outside IP Addresses:
    - Customer Gateway : 107.203.X.X
    - Virtual Private Gateway : 52.70.X.X

    Inside IP Addresses
    - Customer Gateway : 169.254.X.X/30
    - Virtual Private Gateway : 169.254.X.X/30

    Configure your tunnel to fragment at the optimal size:
    - Tunnel interface MTU : 1436 bytes

    #4: Static Routing Configuration:

    To route traffic between your internal network and your VPC,
    you will need a static route added to your router.

    Static Route Configuration Options:

    - Next hop : 169.254.X.X

     

    For Policy I used the AWS IPSec VPN Policy I created.

    Then I set the Local ID to the Customer Gateway (My ip address) and under remote I added the internal lan on the amazon side of 172.31.0.0/255.255.0.0 and the remote ID of 52.70.X.X.

    Under Enpoint Details (local*) I put again my local external IP Address which is set to Port 2 and then for remote I put 52.70.X.X and then I ran this rule through the console.

    system ipsec_route add net 172.31.0.0/255.255.0.0 tunnelname VPNtoAmazon
    set advanced-firewall sys-traffic-nat add destination 172.31.0.0 netmask 255.255.0.0 snatip 192.168.90.1

    but no where do I use the 169.254.X.X addresses.  Do I need to set a route somewhere using those?

  • 0

    Hi Gary, I made a video about this - https://www.youtube.com/watch?v=iwj8V8CeeUo

    I'm looking to see if there's a way to configure dynamic routing using BGP but the video above will show you how to configure failover IPSEC VPN to AWS.

  • 0

    Hi All,

    Have you solved vpn connection problem with AWS, I have resolved it, please find below routing configuraiton.

     

    Network background:

    on premise:10.10.0.0/16

    AWS VPC:192.168.1.0/24

     

    Policy routing on sophos:

    VPN incoming:

    Incoming interface:WAN ip address(WAN port)

    Source Networks:192.168.1.0/24

    Destination Network:10.10.0.0/16

    Service: any

    Gateway*:10.10.0.1(on premise inside gateway)

     

    VPN outcoming:

    Incoming interface:WAN ip address(WAN port)

    Source Networks:10.10.0.0/16192

    Destination Network:192.168.1.0/24

    Service: any

    Gateway*:10.10.0.1(on premise inside gateway)

     

     

     

  • 0

    Hi all,

    I am setting up a site to site VPN connection to AWS using (IPSEC tunnel).

    For on premise I am using Sophos XG210.

    In AWS, When setting up the download configuration, which vendor, platform, and software should I choose that is closest to XG210 ?

    Thank you for the help.

     

  • 0 in reply to shaiful karim

    You have to pick Generic.  There is no option for Sophos at all anymore including UTM or XG.  We finally got ours working by watching this youtube video:

    https://www.youtube.com/watch?v=iwj8V8CeeUo

    Thanks to David Okeyode for posting it!

     

  • 0 in reply to JTK

    Hi joey,

     

    Thank you for posting the link.

    In the video, he did not mention where he got the 195.166.150.193.

    I would assume that this is public ip address of the Sophos firewall ? is this correct ?

     

    Also for your setup, did you choose static or dynamic ? From the user guide provided from AWS, they recommended BGP.

    Is there any difference in terms of Network performance and connection stability between static and BGP ?

     

    Thank you for your help.

     

     

     

  • 0 in reply to shaiful karim

    Yes that is the static ip of the customers firewall.  Static is the only one that seems to work.  I haven't seen anyone get BGP to work yet.

    Our test system is on a crappy 50x5 ATT connection and we are getting great performance using static.