Sophos XG Firewall: Set up IPSec tunnel between AWS VPN Gateway and XG v18 with BGP

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.


This guide describes the process and configuration required to build a VPN tunnel between a Sophos XG Firewall and an AWS VPN gateway using interface-based tunnels and BGP for dynamic route exchange.

Configure the Amazon side

The first step is to create a VPN gateway on AWS using the following steps:

  1. Log in to the AWS console and navigate to Services > VPC.
  2. Navigate to Virtual Private Network (VPN) in the left-hand menu bar and select Customer Gateways.
  3. Click Create Customer Gateway.
  4. Provide a name tag respective field.
  5. Set routing to Dynamic.
  6. (Optional) Modify the BGP ASN used by the XG Firewall by entering the desired value in the BGP ASN field.
  7. Enter the public IP address of the XG Firewall in the IP Address field.
  8. (Optional) If you want to use certificate-based authentication for the tunnel, select the certificate provisioned in AWS ACM for this device in the Certificate ARN dropdown menu.
  9. (Optional) If you would like to specify the device type for future reference, enter it in the Device field.
  10. Click Create Customer Gateway.
  11. With the Customer Gateway created, the next step is to create a VPN Gateway. To do this, navigate to Virtual Private Gateways in the left-hand menu bar and click Create Virtual Private Gateway.
  12. Enter a name in the relevant field.
  13. Select to use the default Amazon ASN (64512) or specify a desired ASN for the Amazon VPN Gateway by selecting Custom ASN and then entering it in the subsequent field.
  14. Click Create Virtual Private Gateway.
  15. Select the newly created VPN Gateway and navigate to the Actions menu.
  16. Select Attach to VPC.
  17. Select the desired VPC from the dropdown menu and click Yes, attach.
  18. Next, navigate to Site-to-Site VPN Connections in the left-hand menu.
  19. Click Create VPN Connection.
  20. Provide a name for the connection in the relevant field.
  21. Make sure the Target Gateway Type is set to Virtual Private Gateway.
  22. Select the recently created VPN Gateway from the Virtual Private Gateway dropdown menu.
  23. Set Customer Gateway to Existing.
  24. Select the recently created Customer Gateway from the Customer Gateway ID dropdown menu.
  25. Make sure Routing Options is set to Dynamic (requires BGP).
  26. Select the desired IP addressing scheme inside the tunnel by selecting either IPv4 or IPv6.
  27. (optional - only use for static VPN tunnels) Enter the CIDR block of the network on the AWS side you wish to include in the tunnel in the "Local IPv4 Network Cidr" field
  28. (optional - only use for static VPN tunnels) Enter the CIDR block of the network on the XG side you wish to include in the tunnel in the "Remote IPv4 Network Cidr"
  29. (Optional) Modify the IP range used inside either tunnel or the pre-shared key for the connection by editing the relevant fields.
  30. (Optional) If you wish to specify the algorithms and lifetimes for Phase 1 or Phase 2 of either tunnel, select Edit Tunnel 1/2 Options (select the relevant option based on the tunnel you wish to edit) and subsequently select/set the desired values.
    1. On unstable connections, it is a good idea to set the DPD Timeout Action to Restart.
    2. For this example, the values are matched with the values to be set in the XG Firewall's IPsec policy. See screenshot below.
  31. Click Create VPN Connection.

  32. Select the newly create VPN attachment and click Download configuration.
  33. Select Generic from the Vendor list, and make sure the Platform and Software fields are set to Generic and Vendor Agnostic respectively.
  34. Click Download to download the VPN configuration file.

Configure the XG Firewall side

With the new VPN configurations created, the next step is to configure the XG Firewall with the relevant VPN and BGP details.

  1. Open a browser and browse to your XG Firewall using HTTPS on port 4444 (for example
  2. Log in to the WebAdmin interface and navigate to VPN.
  3. Click on the three dots in the top corner and select IPsec policies.
  4. Click Add to create a new IPsec policy.
  5. Set a name and description (if desired) for the policy.
  6. Select IKEv1 as the Key exchange and Main mode as the Authentication mode.
  7. Set the Key negotiation tries to 0 and make sure to select Re-key connection.
  8. Set the phase 1 Key life to 28800 seconds, leave the Re-key margin and Randomize re-keying margin by set to 360 and 50 respectively.
  9. Select the following DH groups from the DH group (key group) dropdown:
    1. 14 (DH2048)
    2. 16 (DH4096)
    3. 18 (DH8192)
    4. 19 (ecp256)
    5. 21 (ecp521)
  10. Select AES256 from the Encryption dropdown and SHA2 256 from the Authentication dropdown.
  11. Set the Phase 2 PFS group to 18 (DH8192) by selecting it from the PFS group (DH group) dropdown.
  12. Set the Key life to 3600.
  13. Select AES256 from the Encryption dropdown and SHA2 256 from the Authentication dropdown.
  14. Enable dead peer detection by ticking the Dead Peer Detection checkbox.
  15. Set Check peer after every to 10 seconds and Wait for response up to to 120 seconds.
  16. Select Re-initiate from the When peer unreachable dropdown menu.
  17. Click Save to store the new IPsec policy.
  18. Navigate to the IPsec connections tab.
  19. Click Add to create a new connection.
  20. Enter a name and description for the connection in the respective fields.
  21. Select IPv4 as the IP version.
  22. Select Tunnel interface as the Connection type and select Initiate the connection from the Gateway type dropdown menu.
  23. Select the IPsec policy created previously from the Policy dropdown menu.
  24. Select Preshared key as the Authentication type and then enter the preshared key (found in the tunnel configuration we downloaded in the previous section) for the "first" tunnel (IPsec Tunnel #1) in the two preshared key entry fields.

  25. Set the listening interface to Port B <your WAN IP here>.
  26. Set the Local ID type to IP address and enter this XG Firewall’s public IP address in the Local ID field.
  27. Enter the Outside Virtual Private Gateway address for the first tunnel (again, found in the VPN configuration file downloaded in the previous section) in the Gateway address field.

  28. Set the Remote ID type to IP address and enter the same address entered in the Gateway address field into the Remote ID field.
  29. Click Save to store the tunnel.

  30. Navigate to Network in the left-hand menu and locate the newly created xfrm interface.
  31. Click on the hamburger menu and select Edit interface.
  32. Tick IPv4 configuration.
  33. Enter the Inside Customer Gateway address (found in the VPN tunnel configuration file) and netmask in the respective fields.

  34. Click Save.
  35. Repeat steps 18-34 for the second VPN tunnel (make sure to use the details for the "second" (IPsec Tunnel #2) tunnel in the VPN configuration file).

    Note: The VPN configuration file contains information for IPsec Tunnel #1 and IPsec Tunnel #2. Please make sure to configure the respective details for each tunnel as this can be confusing.

  36. Navigate to Routing and open the BGP tab.
  37. Set a local Router ID (Must be a valid IP. We suggest something from a RFC1918 range – like
  38. Make sure the Local AS matches the one configured in step 6 of the previous section.
  39. Click Apply.
  40. Navigate to the Neighbors section and click Add.
  41. Enter the Neighbor IP Address from the "first" tunnel’s BGP Configuration Options section in the VPN configuration file as the IPv4 address and make sure Remote AS matches the Virtual Private Gateway ASN for the first tunnel in the VPN Configuration file.

  42. Click Save.
  43. Repeat steps 40-42 for the "second" tunnel’s neighbor details in the VPN configuration file.

    Note: The VPN configuration file contains information for IPsec Tunnel #1 and IPsec Tunnel #2. Please make sure to configure the respective details for each tunnel as this can be confusing.

  44. Navigate to the Networks section and click Add.
  45. Set the IPv4 network and netmask to the values representing your XG's local subnet you wish to share in the tunnel.
  46. Click Save.

  47. Navigate to VPN in WebAdmin and click the red dot in the Active column of the first VPN connection to enable the tunnel, then repeat this for the second tunnel.

  48. Create a firewall rule to allow inbound and outbound traffic through the VPN. Navigate to Protect > Rules and policies > Firewall rules > Add firewall rule > New firewall rule.
  49. Configure as follows:

    • Rule status: ON
    • Rule Name: aws_to_onprem
    • Action: Accept
    • Rule Position: Top
    • Rule group: Automatic
    • Log firewall traffic: Selected
    • Source Zones: LAN and VPN
    • Source Networks and Devices: Any
    • During Scheduled Time: Leave the default setting
    • Destination Zones: LAN and VPN
    • Destination Networks: Any
    • Services: Any

      Leave other settings as default. You can configure the security checks of the XG for the traffic if required.
  50. Click Save.
  51. Navigate to Administration > Device access and enable Dynamic Routing for the VPN zone.

Edited TAGs
[edited by: emmosophos at 12:17 AM (GMT -7) on 20 Sep 2022]
  • The BGP part in sophos is really a pain.

    This not a good integration.

  • What do you miss? 


  • Hi just adding this in for new Sophos techs it took me a longer time than it should have to find the xrfm interfaces, all you have to do is go to Network --> Interfaces and you  should see a blue bar on an interface it can be expanded with a double click, in this case it was on PORT2 / PORT2.10 if you have a VLAN Fibre connection on the WAN interface. :-)

    Thanks for the great write up!

  • Hi Guys, I thought my experience may help someone. Here are some key points that helped me to get this going:

    Gotcha number 1 - Sophos Config
    Find the xrmf vpn interface on the Sophos Firewall to assign the BGP interface IP to the Tunnel. :-)
    All you have to do is go to Network --> Interfaces and you  should see a blue bar on an interface it can be expanded with a double click, in this case it was on PORT2 / PORT2.10
    If you have a VLAN Fibre connection on the WAN interface.

    Gotcha number 2 - Sophos Config
    When setting up BGP on the Sophos use RFC1819 IP range similar to that of AWS for BGP
    Routing -->  BGP --> Router ID:   LOCAL AS :  65000

    MASSIVE Gotcha number 3 - Config in AWS VPC
    After following the Sophos thread above you need to enable route propagation VPC -- > Route Tables --> Select route propogation and enable.
    Now you should see the Routes in the Routes tab that came from the IPSEC VPN.

    MASSIVE Gotcha number 4 - Config in AWS EC2
    Also you need to make sure INBOUND traffic is allowed on the EC2 Portal/Security Groups and or any VPC/Firewalls.
    EC2 Portal-->Network&Security-->SecurityGroups --- Check the inbound / outbound access.... that you may need to add in.

    To confirm routing table is working check the BGP information on the Sophos Firewall!
    Routing  -->  Information  -->  BGP, You should see packets to/from both parties.

    If BGP is not working then you will see the AWS VPC VPN Tunnel status show up IPSEC but not connected then you need to sort out your BGP config.
    Finally check the endpoint communication! :-)

  • Under the configuration of the AWS side, steps 27. & 28. they say "optional - only use for static VPN tunnels" since we are clearly trying to use dynamic routing set these explicitly to If you have networks in those fields and just delete them and save the config, they'll repopulate the previous values.

    SET THEM EXPLICITLY TO and this guide actually works. 

    Extra confusing as the image they've used clearly shows networks being set. 

  • Hey guys, I have got this setup and for some reason I can ping from AWS to Sophos side, but I am unable to ping from Sophos to AWS side. I am unsure what I am doing wrong and am pretty sure something is wrong with the Rules and Policies, even though I followed them to this letter. And I am connecting it directly to a TGW.

  • I found out how I resolved the issue, with the first configuration I was using the BYOL instance, and then the next time I tried it with the PAYG instance type and it worked instantly, no idea what the difference was but at least that did the trick for me.