This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM - AWS VPN: Connecting with multiple VPCs

I have seen several discussions within this community regarding multiple Amazon AWS IPsec VPNs to a single Sophos UTM but still see no definite resolution or procedure for how best to set it up. Rather than hijack and existing discussion I am asking this question again.

In the past I used a pfSense firewall and had two separate IPsec VPN tunnels to two separate AWS VPCs. This worked fine because the pfSense allowed me to terminate an IPsec tunnel on ANY public interface. When we retired the pfSense and replaced it with the Sophos UTM we had an issue where we were unable to terminate a tunnel to anything but the default WAN IP on the Sophos and AWS would not allow two separate VPN tunnels to the same public termination endpoint. 

While AWS provides a few different approaches to this (Direct Connect, Shared Services, or Transit VPN) I'm still curious why we still do not have the option to pick the public interface on the Sophos where we want to terminate the tunnel.

I really have a need to reestablish the 2nd IPsec tunnel to better manage continuous deployment of our applications. My temporary workaround was to setup an OpenVPN server to allow developer access but that is not a good solution for this use case.



This thread was automatically locked due to age.
Parents
  • Just to update my progress on this - I was able to easily add the 2nd VPN tunnel to the same AWS Customer Gateway (our back-office WAN IP). The trick is to select Dynamic (BGP) routing at AWS when creating the tunnel and then a Sophos UTM V9 configuration file becomes available for download. I simply imported that configuration file into my Sophos and after a minute or so the tunnel came up green on both AWS and on my Sophos. This allows access to two separate VPC's from the back-office (our customer gateway).

    A previous attempt from another system admin over a year ago was not successful but he may have been trying to use static routing and manually configuring the redundant tunnels on the Sophos. That may work now but it's much easier to just use the generated configuration file and BGP. Note that this does NOT turn on BGP routing on the Sophos, globally, so if you are not using BGP there is no reason to enable and configure it for the AWS VPN tunnel. In fact - much of the AWS VPN details are hidden on the Sophos but are detailed in the configuration file. Kudos to Sophos for making this process fairly easy.

    Be aware that I already had the Customer Gateway and the VPN Gateway configured at AWS for this 2nd VPC tunnel. We already had a tunnel to another VPC from the Sophos and I already had a tunnel to this VPC to Google Cloud so when creating the new tunnel back to the office I simply had to select the existing gateways, specify dynamic routing, and then pick and download the Sophos configuration file.

Reply
  • Just to update my progress on this - I was able to easily add the 2nd VPN tunnel to the same AWS Customer Gateway (our back-office WAN IP). The trick is to select Dynamic (BGP) routing at AWS when creating the tunnel and then a Sophos UTM V9 configuration file becomes available for download. I simply imported that configuration file into my Sophos and after a minute or so the tunnel came up green on both AWS and on my Sophos. This allows access to two separate VPC's from the back-office (our customer gateway).

    A previous attempt from another system admin over a year ago was not successful but he may have been trying to use static routing and manually configuring the redundant tunnels on the Sophos. That may work now but it's much easier to just use the generated configuration file and BGP. Note that this does NOT turn on BGP routing on the Sophos, globally, so if you are not using BGP there is no reason to enable and configure it for the AWS VPN tunnel. In fact - much of the AWS VPN details are hidden on the Sophos but are detailed in the configuration file. Kudos to Sophos for making this process fairly easy.

    Be aware that I already had the Customer Gateway and the VPN Gateway configured at AWS for this 2nd VPC tunnel. We already had a tunnel to another VPC from the Sophos and I already had a tunnel to this VPC to Google Cloud so when creating the new tunnel back to the office I simply had to select the existing gateways, specify dynamic routing, and then pick and download the Sophos configuration file.

Children
  • Thanks, Kip.  Was your approach the one described in Site-to-site VPN configurations for Amazon VPC?  Where should the Sophos KB article tell you to choose BGP?  Is this necessary if one is only selecting a single connection?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • The selection of "Dynamic Routing (BGP)" was required at AWS to even see a configuration file for the Sophos so that should be part of the initial AWS setup in the article. I ran across that little tidbit on one of my searches but regret that I did not capture where I saw that and document it here. If I chose "Static Routing" I never saw a configuration option for Sophos. You can do static routing and download a "generic" configuration file but then you need to setup everything manually on the Sophos, Maybe selecting FreeSwan or OpenSwan configuration would work for the Sophos but did not have the time to test and this was production. This was my first crack at this as my son set this up initially and the existing tunnel he setup is using static routing.

    I did use the "Import Single Connection File" from the article you referenced. I did not want to risk breaking the existing tunnel so I chose that approach over "Import from AWS Account".

    Attaching a REDACTED configuration file that I got from AWS for this tunnel so you can see what one actually looks like. Note that this is the only place where I can actually see my details of the tunnel on the Sophos.

    <?xml version="1.0" encoding="UTF-8"?><!--Amazon Virtual Private Cloud Configuration
    
    To configure this VPN, go to the WebAdmin for your security gateway. Click "Site-to-site VPN",
    then click "Amazon VPC". On the "Setup" tab, locate the "Import via Amazon VPC configuration"
    section, then select this file and click "Apply".
    
    XSL Version: 2009-07-15-1119716--><vpn_connection id="vpn-FFFFFFFF">
      <customer_gateway_id>cgw-FFFFFFFF</customer_gateway_id>
      <vpn_gateway_id>vgw-FFFFFFFF</vpn_gateway_id>
      <vpn_connection_type>ipsec.1</vpn_connection_type>
      <ipsec_tunnel>
        <customer_gateway>
          <tunnel_outside_address>
            <ip_address>XX.XX.XXX.XX</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>XXX.XXX.XX.XXX</ip_address>
            <network_mask>255.255.255.XXX</network_mask>
            <network_cidr>XX</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>65000</asn>
            <hold_time>30</hold_time>
          </bgp>
        </customer_gateway>
        <vpn_gateway>
          <tunnel_outside_address>
            <ip_address>XX.XXX.XXX.XX</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>XXX.XXX.XX.XXX</ip_address>
            <network_mask>255.255.255.XXX</network_mask>
            <network_cidr>XX</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>7224</asn>
            <hold_time>30</hold_time>
          </bgp>
        </vpn_gateway>
        <ike>
          <authentication_protocol>sha1</authentication_protocol>
          <encryption_protocol>aes-128-cbc</encryption_protocol>
          <lifetime>28800</lifetime>
          <perfect_forward_secrecy>group2</perfect_forward_secrecy>
          <mode>main</mode>
          <pre_shared_key>FFFFFFFFFFFFFFFFFFFFF</pre_shared_key>
        </ike>
        <ipsec>
          <protocol>esp</protocol>
          <authentication_protocol>hmac-sha1-96</authentication_protocol>
          <encryption_protocol>aes-128-cbc</encryption_protocol>
          <lifetime>3600</lifetime>
          <perfect_forward_secrecy>group2</perfect_forward_secrecy>
          <mode>tunnel</mode>
          <clear_df_bit>true</clear_df_bit>
          <fragmentation_before_encryption>true</fragmentation_before_encryption>
          <tcp_mss_adjustment>1379</tcp_mss_adjustment>
          <dead_peer_detection>
            <interval>10</interval>
            <retries>3</retries>
          </dead_peer_detection>
        </ipsec>
      </ipsec_tunnel>
      <ipsec_tunnel>
        <customer_gateway>
          <tunnel_outside_address>
            <ip_address>XX.XX.XXX.XX</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>XXX.XXX.XX.XX</ip_address>
            <network_mask>255.255.255.XXX</network_mask>
            <network_cidr>XX</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>65000</asn>
            <hold_time>30</hold_time>
          </bgp>
        </customer_gateway>
        <vpn_gateway>
          <tunnel_outside_address>
            <ip_address>XX.XX.XX.XX</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>XXX.XXX.XX.XX</ip_address>
            <network_mask>255.255.255.XXX</network_mask>
            <network_cidr>XX</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>7224</asn>
            <hold_time>30</hold_time>
          </bgp>
        </vpn_gateway>
        <ike>
          <authentication_protocol>sha1</authentication_protocol>
          <encryption_protocol>aes-128-cbc</encryption_protocol>
          <lifetime>28800</lifetime>
          <perfect_forward_secrecy>group2</perfect_forward_secrecy>
          <mode>main</mode>
          <pre_shared_key>FFFFFFFFFFFFFFFFFFFFFFFF</pre_shared_key>
        </ike>
        <ipsec>
          <protocol>esp</protocol>
          <authentication_protocol>hmac-sha1-96</authentication_protocol>
          <encryption_protocol>aes-128-cbc</encryption_protocol>
          <lifetime>3600</lifetime>
          <perfect_forward_secrecy>group2</perfect_forward_secrecy>
          <mode>tunnel</mode>
          <clear_df_bit>true</clear_df_bit>
          <fragmentation_before_encryption>true</fragmentation_before_encryption>
          <tcp_mss_adjustment>1379</tcp_mss_adjustment>
          <dead_peer_detection>
            <interval>10</interval>
            <retries>3</retries>
          </dead_peer_detection>
        </ipsec>
      </ipsec_tunnel>
    </vpn_connection>