Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AWS tunnels and bgp

I wonder if anyone help me setup ipsec  routing to aws. I setup 4 vpn tunnels to 2 searate aws instance my lab and I have two groups for ipsec tunnels. Connection is established  but I cant route traffic over vpn to aws. I also setup bgp and all neighbors is there a guide that will help me setup bgp to aws ? 



This thread was automatically locked due to age.
Parents
  • Hi  

    Please refer the article for IPsec Tunnel - https://community.sophos.com/kb/en-us/133057

    For BGP, please refer - https://community.sophos.com/kb/en-us/132891

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Looks like two devices cant connect

     

    20/01/25 22:27:26 BGP: 169.254.247.153 [FSM] Timer (connect timer expire)
    2020/01/25 22:27:26 BGP: 169.254.247.153 [FSM] ConnectRetry_timer_expired (Active->Connect)
    2020/01/25 22:27:26 BGP: 169.254.247.153 [Event] Connect start to 169.254.247.153 fd 11
    2020/01/25 22:27:26 BGP: 169.254.247.153 [FSM] Non blocking connect waiting result
    2020/01/25 22:27:26 BGP: 169.254.247.153 went from Active to Connect
    2020/01/25 22:27:26 BGP: 169.254.247.153 [Event] Connect failed (Operation now in progress)
    2020/01/25 22:27:26 BGP: 169.254.247.153 [FSM] TCP_connection_open_failed (Connect->Active)
    2020/01/25 22:27:26 BGP: 169.254.247.153 went from Connect to Active
    2020/01/25 22:27:34 BGP: Import timer expired.
    2020/01/25 22:27:49 BGP: Import timer expired.
    2020/01/25 22:27:57 BGP: 169.254.152.181 [FSM] Timer (connect timer expire)
    2020/01/25 22:27:57 BGP: 169.254.152.181 [FSM] ConnectRetry_timer_expired (Active->Connect)
    2020/01/25 22:27:57 BGP: 169.254.152.181 [Event] Connect start to 169.254.152.181 fd 11
    2020/01/25 22:27:57 BGP: 169.254.152.181 [FSM] Non blocking connect waiting result
    2020/01/25 22:27:57 BGP: 169.254.152.181 went from Active to Connect
    2020/01/25 22:27:57 BGP: 169.254.152.181 [Event] Connect failed (Operation now in progress)
    2020/01/25 22:27:57 BGP: 169.254.152.181 [FSM] TCP_connection_open_failed (Connect->Active)
    2020/01/25 22:27:57 BGP: 169.254.152.181 went from Connect to Active
    2020/01/25 22:28:04 BGP: Import timer expired.
    2020/01/25 22:28:16 BGP: Performing BGP general scanning
    2020/01/25 22:28:16 BGP: scanning IPv4 Unicast routing tables
    2020/01/25 22:28:19 BGP: Import timer expired.
    2020/01/25 22:28:27 BGP: 169.254.118.153 [FSM] Timer (connect timer expire)
    2020/01/25 22:28:27 BGP: 169.254.118.153 [FSM] ConnectRetry_timer_expired (Active->Connect)
    2020/01/25 22:28:27 BGP: 169.254.118.153 [Event] Connect start to 169.254.118.153 fd 11
    2020/01/25 22:28:27 BGP: 169.254.118.153 [FSM] Non blocking connect waiting result
    2020/01/25 22:28:27 BGP: 169.254.118.153 went from Active to Connect
    2020/01/25 22:28:27 BGP: 169.254.118.153 [Event] Connect failed (Operation now in progress)
    2020/01/25 22:28:27 BGP: 169.254.118.153 [FSM] TCP_connection_open_failed (Connect->Active)
    2020/01/25 22:28:27 BGP: 169.254.118.153 went from Connect to Active
    2020/01/25 22:28:34 BGP: Import timer expired.

  • My configuration file what am I missing ?

    bgp multiple-instance
    !
    router bgp 65000
    bgp router-id XX.XX.XX.XX 
    network 169.254.118.152/30
    network 169.254.152.180/30
    network 169.254.247.152/30
    network 169.254.253.44/30
    network 172.16.0.0/24
    network 172.16.30.0/24
    network 192.168.0.0/24
    network 192.168.1.0/24
    timers bgp 10 30
    neighbor 169.254.118.153 remote-as 64512
    neighbor 169.254.118.153 update-source XX.XX.XX.XX
    neighbor 169.254.118.153 advertisement-interval 60
    neighbor 169.254.118.153 timers 10 30
    neighbor 169.254.118.153 default-originate
    neighbor 169.254.152.181 remote-as 64512
    neighbor 169.254.152.181 update-source XX.XX.XX.XX
    neighbor 169.254.152.181 advertisement-interval 60
    neighbor 169.254.152.181 timers 10 30
    neighbor 169.254.152.181 default-originate
    neighbor 169.254.247.153 remote-as 64512
    neighbor 169.254.247.153 update-source XX.XX.XX.XX
    neighbor 169.254.247.153 advertisement-interval 60
    neighbor 169.254.247.153 timers 10 30
    neighbor 169.254.247.153 default-originate
    neighbor 169.254.253.45 remote-as 64512
    neighbor 169.254.253.45 update-source XX.XX.XX.XX
    neighbor 169.254.253.45 advertisement-interval 60
    neighbor 169.254.253.45 timers 10 30
    neighbor 169.254.253.45 default-originate
    maximum-paths 4
    !
    route-map aws permit 10
    !
    line vty
    no login
    !
    end

  • I would recommend to switch to V18 (EAP) and try the Route based VPN tunnel. 

    Should be way easier to implement this kind of tunnel. 

    If so, please report your success story to the EAP Forum! https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/

    __________________________________________________________________________________________________________________

  • I am using 18 allready I am not sure if I am missing routes for aws tunnels in my routing tables I see ipsec0 for both subsets going to  my  two aws instances  any help will be appreciated

  • Did you choose "Tunnel Interface" instead of Site to Site in Ipsec config? 

     

    This will connect a Tunnel Interface.

    In Interfaces, you should see a XFRM Interface. 

    __________________________________________________________________________________________________________________

Reply
  • Did you choose "Tunnel Interface" instead of Site to Site in Ipsec config? 

     

    This will connect a Tunnel Interface.

    In Interfaces, you should see a XFRM Interface. 

    __________________________________________________________________________________________________________________

Children