This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to import AWS VPC VPN configuration

Hi,

I'm trying to import the AWS VPN configuration file into my Sophos UTM running firmware 9.7

I have downloaded the configuration file from AWS using Sophos, UTM and v9.

However, every time I try to import it, it reports the following error:

The Amazon VPC connection object requires matching a regular expression for the identifier attribute.

 

I have also tried giving the Amazon VPC some AWS Credentials to import the connection that way. That also fails with the same error message.

 

Has anyone else seen this problem? And have you found a way passed the problem?

 

Kind regards,

Paul Macdonnell



This thread was automatically locked due to age.
  • Hi  

    Would you please share a screenshot of the error?

    Regards

    Jaydeep

  • Hi  

    Yes, of course. I have attached a screenshot of the error here now.

     

    Just some other background information. This VPN is connecting into a Transit Gateway, too.

    Doing some more research, I've found that this error is returned when trying to connect to a VPN to a Transit Gateway, but I haven't found a work-around for it yet. Other than manually creating the VPN connection.

    Do you know of work-arounds, or if there are any guides on how to manually configured the Transit Gateway VPN connection?

     

    Kind regards,

    Paul Macdonnell

  • Hi again,

    A little more background information - We're running a trial version of the UTM at the moment. Which is running on firmware version 9.700-5

     

    Kind regards,

     

    Paul Macdonnell

  • HI again,

    After some trial and error and comparing against a straight VPC Gateway VPN connection, I can see the only structural difference in the XML, was the <vpn_gateway_id/> entry.

     

    In the Transit Gateway connected XML it was only:

    <vpn_gateway_id/>

     

    In the VPC connected XML, it was:

    <vpn_gateway_id>vgw-abcdefgh</vpn_gateway_id>

     

    I replaced the Transit Gateway config XML to use a similar name for the "vpn_gateway_id" element.

    EG: <vpn_gateway_id>vgw-<transit gateway id></vpn_gateway_id>

     

    I have now successfully loaded the configuration into the UTM. Now, I'm working through making sure the VPN connects properly.

    Which it isn't right now. I'm looking through the VPN logs and testing the network configuration to make sure that it is able to connect as required.

     

    Kind regards,

     

    Paul Macdonnell

  • Hi Paul and welcome to the UTM Community!

    It sounds like you might be confounding the AWS processes for "regular" VPNs and VPC.  Did you follow Amazon Virtual Private Cloud (Amazon VPC) User Guide and Site-to-site VPN configurations for Amazon VPC?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Paul. We got the same problem here. Did you manage to create a VPN to the TGW in this way? Did you open an issue elsewhere for this topic?

  • Hallo Philipp and welcome to the UTM Community!

    Did you follow the instructions in the two articles to which I linked in the post immediately above yours?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:

    Hallo Philipp and welcome to the UTM Community!

    Did you follow the instructions in the two articles to which I linked in the post immediately above yours?

    Cheers - Bob

     

     

    Hello Bob,

    Thank you for welcoming me. You do not seem to grasp the problem. You gave me some default documentation links how to setup an AWS VPN Connection with Sophos in comparion to AWS VPCs.

    We already have several such "normal" VPN connections running.

    This thread is about a bug/missing feature either from Sophos or AWS when setting up a VPN connection not to a regular VPC but to a AWS Transit Gateway.

    Please read the documentation here and maybe try to create such a TGW + VPN connection yourself (with Sophos UTM V9 on the other side).

    The connection is setup in another way and leads to a metadata file exported from AWS which does not include a VPC Gateway ID. This cannot be understood by Sophos which requires a VPC Gateway ID. So we need a workaround/fix here.

    Greetings
    Philipp

  • I attempted to do the import today and same error on two different UTM running latest firmware.   Did the fix of updating the XML fix the issue?

     

    ANy fix yet from Sophos or AWS?

  • Bob,

     

    Also since transit gateways have been out over a year it is pretty lame this happens. 

     

    These would be great links, but they do not work with the transit gateway.  You cannot import a config file or Import via Account.  This document does not work when a transit gateway is involved. 

     

     

    https://community.sophos.com/kb/en-us/120922#Route%20propagation