This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BGP configuration with IPsec VPN Sophos with AWS

I need a help on how to configure BGP on sophos XG v17.5, IPsec site-to-site VPN has been established betwwen sophos and AWS but the BGP neighborship between AWS and Sophos status still show down

This thread was automatically locked due to age.

0 LuCar Toni over 3 years ago in reply to Helix

You cannot create a BGP Neighbor, if you do not know, where your neighbor is. If you do not specify the route to the neighbor, XG will send this traffic via Default Gateway. That is a Network issue. Are you sure, this BGP Configuration is correct?

You are using DirectConnect.

aws.amazon.com/.../

Seems like you can specify a own IP, if you want. If you do not do that, you get this Link Local address. You could use 169.254.0.0 /16. That seems fine. Or try to use bigger networks.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel
0 Helix over 3 years ago in reply to LuCar Toni

Hi LuCar Toni

I will like to share the config file with you so that we can be on the same page

<?xml version="1.0" encoding="UTF-8"?><vpn_connection id="vpn-0f2dc11daafa249b0">
<customer_gateway_id>cgw-0ac0f72ed2a243099</customer_gateway_id>
<vpn_gateway_id>vgw-09183c2bbf93544db</vpn_gateway_id>
<vpn_connection_type>ipsec.1</vpn_connection_type>
<ipsec_tunnel>
    <customer_gateway>
      <tunnel_outside_address>
        <ip_address>52.255.172.72</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.80.6</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>65002</asn>
        <hold_time>30</hold_time>
      </bgp>
    </customer_gateway>
    <vpn_gateway>
      <tunnel_outside_address>
        <ip_address>13.59.85.182</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.80.5</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>65358</asn>
        <hold_time>30</hold_time>
      </bgp>
    </vpn_gateway>
    <ike>
      <authentication_protocol>sha1</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>28800</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>main</mode>
      <pre_shared_key>Mj_HiX1z9qSjE4IpPF5gKKsX5rUWZGo9</pre_shared_key>
    </ike>
    <ipsec>
      <protocol>esp</protocol>
      <authentication_protocol>hmac-sha1-96</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>3600</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>tunnel</mode>
      <clear_df_bit>true</clear_df_bit>
      <fragmentation_before_encryption>true</fragmentation_before_encryption>
      <tcp_mss_adjustment>1379</tcp_mss_adjustment>
      <dead_peer_detection>
        <interval>10</interval>
        <retries>3</retries>
      </dead_peer_detection>
    </ipsec>
</ipsec_tunnel>
<ipsec_tunnel>
    <customer_gateway>
      <tunnel_outside_address>
        <ip_address>52.255.172.72</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.145.18</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>65002</asn>
        <hold_time>30</hold_time>
      </bgp>
    </customer_gateway>
    <vpn_gateway>
      <tunnel_outside_address>
        <ip_address>18.188.16.128</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.145.17</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>65358</asn>
        <hold_time>30</hold_time>
      </bgp>
    </vpn_gateway>
    <ike>
      <authentication_protocol>sha1</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>28800</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>main</mode>
      <pre_shared_key>rlJorobXBnatH0Po06anqli7dEoiBsLI</pre_shared_key>
    </ike>
    <ipsec>
      <protocol>esp</protocol>
      <authentication_protocol>hmac-sha1-96</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>3600</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>tunnel</mode>
      <clear_df_bit>true</clear_df_bit>
      <fragmentation_before_encryption>true</fragmentation_before_encryption>
      <tcp_mss_adjustment>1379</tcp_mss_adjustment>
      <dead_peer_detection>
        <interval>10</interval>
        <retries>3</retries>
      </dead_peer_detection>
    </ipsec>
</ipsec_tunnel>
</vpn_connection>
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 3 years ago in reply to Helix

Try to create a Static route with a bigger network and route this to the XFRM Interface.

This could actually work.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel