Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.
This guide describes the process and configuration required to build a VPN tunnel between a Sophos XG Firewall and an AWS VPN gateway using interface-based tunnels and BGP for dynamic route exchange.
The first step is to create a VPN gateway on AWS using the following steps:
With the new VPN configurations created, the next step is to configure the XG Firewall with the relevant VPN and BGP details.
Configure as follows:
Hi just adding this in for new Sophos techs it took me a longer time than it should have to find the xrfm interfaces, all you have to do is go to Network --> Interfaces and you should see a blue bar on an interface it can be expanded with a double click, in this case it was on PORT2 / PORT2.10 if you have a VLAN Fibre connection on the WAN interface. :-)
Thanks for the great write up!
Hi Guys, I thought my experience may help someone. Here are some key points that helped me to get this going:
Gotcha number 1 - Sophos ConfigFind the xrmf vpn interface on the Sophos Firewall to assign the BGP interface IP to the Tunnel. :-)All you have to do is go to Network --> Interfaces and you should see a blue bar on an interface it can be expanded with a double click, in this case it was on PORT2 / PORT2.10 If you have a VLAN Fibre connection on the WAN interface.Gotcha number 2 - Sophos ConfigWhen setting up BGP on the Sophos use RFC1819 IP range similar to that of AWS for BGPRouting --> BGP --> Router ID: 169.254.254.1 LOCAL AS : 65000MASSIVE Gotcha number 3 - Config in AWS VPCAfter following the Sophos thread above you need to enable route propagation VPC -- > Route Tables --> Select route propogation and enable.Now you should see the Routes in the Routes tab that came from the IPSEC VPN.MASSIVE Gotcha number 4 - Config in AWS EC2 Also you need to make sure INBOUND traffic is allowed on the EC2 Portal/Security Groups and or any VPC/Firewalls.EC2 Portal-->Network&Security-->SecurityGroups --- Check the inbound / outbound access.... that you may need to add in.To confirm routing table is working check the BGP information on the Sophos Firewall!Routing --> Information --> BGP, You should see packets to/from both parties.If BGP is not working then you will see the AWS VPC VPN Tunnel status show up IPSEC but not connected then you need to sort out your BGP config.Finally check the endpoint communication! :-)