Unable to import AWS VPC VPN configuration

Hi Paul Macdonnell1 

Would you please share a screenshot of the error?

Hi Jaydeep 

Yes, of course. I have attached a screenshot of the error here now.

Just some other background information. This VPN is connecting into a Transit Gateway, too.

Doing some more research, I've found that this error is returned when trying to connect to a VPN to a Transit Gateway, but I haven't found a work-around for it yet. Other than manually creating the VPN connection.

Do you know of work-arounds, or if there are any guides on how to manually configured the Transit Gateway VPN connection?

Kind regards,

Paul Macdonnell

Hi again,

A little more background information - We're running a trial version of the UTM at the moment. Which is running on firmware version 9.700-5

Kind regards,

Paul Macdonnell

HI again,

After some trial and error and comparing against a straight VPC Gateway VPN connection, I can see the only structural difference in the XML, was the <vpn_gateway_id/> entry.

In the Transit Gateway connected XML it was only:

<vpn_gateway_id/>

In the VPC connected XML, it was:

<vpn_gateway_id>vgw-abcdefgh</vpn_gateway_id>

I replaced the Transit Gateway config XML to use a similar name for the "vpn_gateway_id" element.

EG: <vpn_gateway_id>vgw-<transit gateway id></vpn_gateway_id>

I have now successfully loaded the configuration into the UTM. Now, I'm working through making sure the VPN connects properly.

Which it isn't right now. I'm looking through the VPN logs and testing the network configuration to make sure that it is able to connect as required.

Kind regards,

Paul Macdonnell

Hi Paul and welcome to the UTM Community!

It sounds like you might be confounding the AWS processes for "regular" VPNs and VPC.  Did you follow Amazon Virtual Private Cloud (Amazon VPC) User Guide and Site-to-site VPN configurations for Amazon VPC?

Cheers - Bob

Hi Paul. We got the same problem here. Did you manage to create a VPN to the TGW in this way? Did you open an issue elsewhere for this topic?

Hi Paul. We got the same problem here. Did you manage to create a VPN to the TGW in this way? Did you open an issue elsewhere for this topic?

Hallo Philipp and welcome to the UTM Community!

Did you follow the instructions in the two articles to which I linked in the post immediately above yours?

Cheers - Bob

BAlfson said:

Hallo Philipp and welcome to the UTM Community!

Did you follow the instructions in the two articles to which I linked in the post immediately above yours?

Cheers - Bob

 

Hello Bob,

Thank you for welcoming me. You do not seem to grasp the problem. You gave me some default documentation links how to setup an AWS VPN Connection with Sophos in comparion to AWS VPCs.

We already have several such "normal" VPN connections running.

This thread is about a bug/missing feature either from Sophos or AWS when setting up a VPN connection not to a regular VPC but to a AWS Transit Gateway.

Please read the documentation here and maybe try to create such a TGW + VPN connection yourself (with Sophos UTM V9 on the other side).

The connection is setup in another way and leads to a metadata file exported from AWS which does not include a VPC Gateway ID. This cannot be understood by Sophos which requires a VPC Gateway ID. So we need a workaround/fix here.

Greetings
Philipp

I attempted to do the import today and same error on two different UTM running latest firmware.   Did the fix of updating the XML fix the issue?

ANy fix yet from Sophos or AWS?

You're right, Philipp, I didn't read closely enough and just assumed that it was a problem that I'd helped a client to solve.  Thanks for the link!

Did the workaround linked to by Brian work for you?  If so, please post back here so one of the Sophos people can learn of this and get a KnowledgeBase article created.

Cheers - Bob

The workaround of editing the XML files does not work. 

Hi Bob,

with our setup the workaround actully did the trick.
We have a working VPN attached to a AWS TransitGateway.

Greets Philipp

Hallo Philipp,

I've signaled this thread to on of the Sophos engineers - what about your configuration/setup do you think allowed the workaround to function?

Cheers - Bob

Hi BrianDavis 

Would you please open a case with Sophos Support for this issue? If the workaround does not help, it would be better to raise a case with Sophos Support.