Sophos XG Firewall v18 to AWS VPN Gateway IPSEC Connection

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This article describes the procedure to create an IPsec connection between an AWS VPN Gateway and XG Firewall version 18.

Pre-requisites

  1. XG v18 firmware

    • Minimum of "EAP 3 Refresh-1" needed.

  2. Your OnPrem XG Firewall and the following information:

    • The public IP of the XG firewall.
    • The IP address space behind your XG firewall.

  3. Your Amazon AWS VPC and the following information:

    • IP address space of the VPC.

Step 1: Create AWS Customer Gateway (with XG public IP details)

The local network gateway typically refers to your on-premises location. You'll need the public IP address of your On-Prem Sophos XG firewall and your On-Prem Private IP address spaces.

Please note that this configuration assumes that the public IP address is directly configured on the On-Prem XG firewall. Your configuration will be slightly different if your On-Prem XG firewall sits behind a NAT device.

  1. Go to the AWSPortal: https://aws.amazon.com/console/ and sign in with your credentials.
  2. Under 'Services', click on 'VPC'.



  3. Filter your VPC, for the ease of navigation.



  4. On the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
    1. Click on 'Customer Gateways'.



  5. In the "Create customer gateway" blade, configure the following:

    • Name: Specify any descriptive name.
    • Routing: Specify the mode of routing to be used. In our scenario, Select Static.
    • IP Address: Specify the public IP address of your Sophos XG firewall.
    • Certificate ARN(optional): In our scenario, no Certificate is selected.
    • Device(optional): In our scenario, no Device is selected.

  6. Click on Create Customer Gateway.



Step 2: Create a Virtual Private Gateway ( Attaching the VGW with your VPC)

  1. Select the virtual network for which you want to create a virtual network gateway.
  2. In the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
  3. Click on 'Virtual Private Gateways'.



  4. In the "Create Virtual Private Gateway" blade, configure the following:

    • Name tag: Specify a descriptive Name
    • ASN: Select the applicable option. In our scenario, select Amazon default ASN

  5. Click on Create Virtual Private Gateway.

    Note:
    To view the newly created Virtual Private Gateway, remove the filter applied on the VPC in Step 1(3). The filter needs to be removed as the VGW is not yet attached to the filtered VPC.



  6. Attach Virtual Private Gateway (VGW) to the VPC.

    • Select the newly created VGW.
    • Click on Actions and select Attach to VPC.

    Once the VGW is attached to the VPC, reapply the filter on your VPC as described in Step 1(3).



Step 3: Create the Site-to-Site VPN connection (AWS)

  1. In the left navigation pane, scroll down to Site-to-Site VPN Connections.
  2. Click on 'Create VPN Connection'.



  3. In the "Create VPN Connection" blade, configure the following:

    • Name Tag: Specify a descriptive Name for the VPN connection
    • Target Gateway Type: Select Virtual Private Gateway 
    • Virtual Private Gateway: From the drop-down box, Select the gateway created in Step 2(4) (Use your own values here, not the values shown in the screenshot)
    • Customer Gateway: Select Existing.
    • Customer Gateway ID: From the drop-down box, Select the gateway created in Step 1(4)(Use your own values here, not the values shown in the screenshot)
    • Routing Options: The routing option should match the routing mode selected in Step 1(4). In our scenario, Select Static.
    • Static IP Prefixes: Provide the remote private IP address range behind the on-premise Sophos XG firewall.(Use your own values here, not the values shown in the screenshot). Typically, the remote private IP address is the LAN interface network on the on-prem Sophos XG firewall.


    • Local IPv4 Network = XG LAN resources
    • Remote IPv4 Network = AWS side resources


  4. Click on 'Create VPN Connection' to create the AWS VPN.

Step 4: Download and extract needed information from the configuration file (AWS)

  1. Select the newly created VPN connection and click on Download Configuration.



  2. In the "Download configuration" blade, select the following:

    • Vendor: Generic
    • Platform: Generic
    • Software: Vendor Agnostic
    • Click on "Download"



    The configuration file is downloaded in txt format. The parameters given in the downloaded file should match the Phase 1 & Phase 2 parameters in the on-prem Sophos XG IPSec policy.

Step 5: Create a route in the route table associated with your VPC

  1. In the left navigation pane:

    • Filter by VPC: Select your VPC.

  2. Navigate to VIRTUAL PRIVATE CLOUD > Route Tables.
  3. Select the associated Route Table.



  4. In the bottom navigation:

    • Select the Routes tab.
    • Click on Edit routes.


  5. Click on Add route and configure the following:

    • Destination: Private IP address range behind XG firewall.Typically, the remote private IP address is the LAN interface network on the on-prem Sophos XG firewall.
    • Target: Select the Virtual gateway created in Step 2.
    • Click on Save routes.



Step 6: Create the VPN Policy (Sophos XG Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
  2. Create a new policy in Sophos XG matching the parameters specified in the document downloaded in the previous step.
  3. Navigate to CONFIGURE>VPN.
  4. Click on the "..." to expand the menu, and select IPsec policies.



  5. In the IPSec policies blade, configure the following:

    • Name: Specify a descriptive name
    • Key exchange: Select IKEv1
    • Authentication mode: Select Main mode



  6. Scroll down to configure the parameters for Phase 1. These should match the downloaded configuration obtained in Step 4(2).
  7. In our scenario, configure the following Phase 1 parameters on Sophos XG:

    • Key life: 28800
    • DH group (key group): 2[DH1024]
    • Encryption: AES128
    • Authentication: SHA1





  8. Scroll down to configure the parameters for Phase 2. These should match the downloaded configuration obtained in Step 4(2).
  9. In our scenario, configure the following Phase 2 parameters on Sophos XG:

    • Key life: 3600
    • DH group (key group): Same as phase-I
    • Encryption: AES128
    • Authentication: SHA1





  10. Scroll down to configure the parameters for Dead Peer Detection.

    • Enable Dead peer Detection checkmark.
    • Click Save.



Step 7: Create the VPN Connection(Sophos XG Firewall)

  1. Under "Configure", click on "VPN" → "IPSEC Connections" → "Add".



  2. Configure the following settings:

    General Settings

    • Name: Input any preferred name
    • Connection Type: Tunnel interface
    • IP Version: Dual
    • Gateway Type: Initiate the Connection
    • Activate on Save: Selected
    • Description: Add a description for the connection



    Encryption

    • Policy: Select the policy created in Step 6
    • Authentication Type: Preshared Key
    • Preshared Key: Enter the preshared key as available from the downloaded configuration obtained in Step 4(2).
    • Repeat Preshared Key: Confirm the above-preshared key



    Gateway Settings

    • Listening Interface: Select the WAN interface of the Sophos XG firewall
    • Gateway Address: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
    • Local ID: IP Address
    • Remote ID: IP Address
    • Local ID: Enter the public IP of the OnPrem Sophos XG firewall
    • Remote ID: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
    • There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".



    Advanced

    • Leave default settings

  3. Click "Save".



  4. Click "OK" when prompted about the "Preshared key".

  5. The connection should now be active and in a connected state.



    (Optional) Configure a redundant tunnel to AWS gateway by repeating Step 6 using the configuration of IPSec Tunnel #2, as obtained in Step 4(2).

Step 8: Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
  2. Under "Protect", click on "Rules and Policies" → "Add Firewall Rule" → "New Firewall Rule".



  3. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:

    • Rule status: ON
    • Rule Name:XGS_to_AWS
    • Action: Accept
    • Rule Position: Top
    • Rule group: Automatic or select your VPN group
    • Log firewall traffic: Selected



    Source and destination

    • Source Zones: LAN
    • Source Networks and Devices: IP or Network of the device(s) that will be reaching AWS
    • Destination Zones: VPN
    • Destination Networks: IP or Network of the device(s) in AWS
    • During Scheduled Time: Leave the default setting



  4. Leave other settings as default.

    • You can configure the security checks of the XG for the traffic if you want to.

  5. Click on "Save".

  6. Create a Second Firewall Rule in case Traffic is initiated by the AWS side

    Rule status: ON
    Rule Name: AWS_TO_XGS
    Action: Accept
    Rule Position: Top
    Rule group: Automatic or select your VPN group
    Log firewall traffic: Selected

    Source

    • Source Zones: VPN
    • Source Networks and Devices: IP or Network of the device(s) that will be reaching XGS
    • Destination Zones: LAN
    • Destination Networks: IP or Network of the device(s) behind the XGS
    • During Scheduled Time: Leave the default setting
  7. Leave other settings as default.

    • You can configure the security checks of the XG for the traffic if you want to.

  8. Click on "Save".

  9. Note: You will most likely NOT see Traffic hitting this specific Firewall Rule, as this rule will be hit only if the EC2 instance initiate the traffic, however, it’s best practice to have a Firewall Rule for each Zone and Destination. 

Step 9: Configure the xfrm tunnel interface (Sophos XG Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
  2. Under "Configure", Click on "Network" → Under "Interfaces", click on the xfrm interface.



  3. In the "Network" configuration window, configure the following:

    • IPv4/netmask: Enter the IP address. The IP address can be found under Inside IP Addresses >Customer Gateway, as obtained from the configuration file downloaded in Step 4(2).
    • Expand "Advanced Settings"
      • Select "Override MSS" and enter the MSS value as obtained from the configuration file downloaded in Step 4(2).
    • Click on "Save".






  4. In the "Update interface" prompt, click "Update interface".

Step 10: Configure static routing to the AWS network (Sophos XG Firewall)

  1. Log into the WebAdmin of your On-Premises Sophos XG firewall.
  2. Under "Configure", click on "Routing" → Under "Static Routing", click on "Add".
  3. In the "Add unicast route" window, configure the following:

    • Destination IP/Netmask: Enter the network IP and subnet mask of your AWS virtual network
    • Gateway: To be left empty
    • Interface: Select the XG's xfrm tunnel interface
    • Distance: Leave default setting
    • Click on "Save"

Step 11: Verify the VPN connection

  1. In the AWS Portal: https://console.aws.amazon.com/, go to "Virtual Private Network(VPN") and select Site-to-Site VPN Connections.
  2. In the "VPN Connection" blade, ensure that the status of the Tunnel is "UP".


  3. Check the EC2 Security Groups are allowing RDP 
  4. Download the Remote Desktop file for your EC2 instance from AWS

  5. Perform a connectivity test from an on-premise instance to an AWS VM.






Edited Firewall Rules
[edited by: emmosophos at 4:50 PM (GMT -7) on 8 Oct 2021]
Parents
  • Hi,

    I have a few questions regarding this config:

    1. How do you configure the static route in a failover situation as you can only have 1 interface linked to the static route?

    2. We seem to have issues with AWS initating a rekey before the Sophos XG does and sometime it happens in parallel. Would this be resolved by having a shorter key life than 28,800 configure in the policy?

    3. We are now getting these errors although it doesn't seem to cause an issue with traffic flow, how do we resolve this?

    CHILD_SA INVALID_ID_INFORMATION retry initiate CHILD_SA in 60 sec

    Thanks,

    Max

Reply
  • Hi,

    I have a few questions regarding this config:

    1. How do you configure the static route in a failover situation as you can only have 1 interface linked to the static route?

    2. We seem to have issues with AWS initating a rekey before the Sophos XG does and sometime it happens in parallel. Would this be resolved by having a shorter key life than 28,800 configure in the policy?

    3. We are now getting these errors although it doesn't seem to cause an issue with traffic flow, how do we resolve this?

    CHILD_SA INVALID_ID_INFORMATION retry initiate CHILD_SA in 60 sec

    Thanks,

    Max

Children
No Data