This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to write/modify AWS VPN Config files for Sophos UTM?

You can download and import the sample files for your AWS VPN to a Sophos UTM.

AWS does provide the ability to change the encryption settings. https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html

I want to modify the config file in such a way that when I import it it just works. But i can not find any documentation for the XML file.

Where is the translation of the supported policys https://docs.sophos.com/nsg/sophos-utm/utm-on-aws/9.703/pdf/en-us/manual-en.pdf (Page 401) to the names needed in the XML? From the debug log I have tried to guess some values, but I think these do mostly not work.

This is my file and i need valid values for: authentication_protocol, encryption_protocol and perfect_forward_secrecy.

And does Sophos UTM 9 (9.705) support IKEv2 at all?

<?xml version="1.0" encoding="UTF-8"?><!--Amazon Virtual Private Cloud Configuration

To configure this VPN, go to the WebAdmin for your security gateway. Click "Site-to-site VPN",
then click "Amazon VPC". On the "Setup" tab, locate the "Import via Amazon VPC configuration"
section, then select this file and click "Apply".

XSL Version: 2009-07-15-1119716--><vpn_connection id="vpn-xxxxxxxx">
  <customer_gateway_id>cgw-xxxxxxxx</customer_gateway_id>
  <vpn_gateway_id>vgw-xxxxxxxx</vpn_gateway_id>
  <vpn_connection_type>ipsec.1</vpn_connection_type>
  <ipsec_tunnel>
    <customer_gateway>
      <tunnel_outside_address>
        <ip_address>xxx.xxx.xxx.xxx</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.40.6</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>65000</asn>
        <hold_time>30</hold_time>
      </bgp>
    </customer_gateway>
    <vpn_gateway>
      <tunnel_outside_address>
        <ip_address>xxx.xxx.xxx.xxx</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.40.5</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>64512</asn>
        <hold_time>30</hold_time>
      </bgp>
    </vpn_gateway>
    <ike>
      <authentication_protocol>sha2-512,hmac-sha2-512</authentication_protocol>
      <encryption_protocol>aes-256,aes-256-cbc,aes-256-gcm</encryption_protocol>
      <lifetime>28800</lifetime>
      <perfect_forward_secrecy>group14,group15,group16</perfect_forward_secrecy>
      <mode>main</mode>
      <pre_shared_key>xxxxxxxxxxxxxxxx</pre_shared_key>
    </ike>
    <ipsec>
      <protocol>esp</protocol>
      <authentication_protocol>sha2-512,hmac-sha2-512</authentication_protocol>
      <encryption_protocol>aes-256,aes-256-cbc,aes-256-gcm</encryption_protocol>
      <lifetime>3600</lifetime>
      <perfect_forward_secrecy>group14,group15,group16</perfect_forward_secrecy>
      <mode>tunnel</mode>
      <clear_df_bit>true</clear_df_bit>
      <fragmentation_before_encryption>true</fragmentation_before_encryption>
      <tcp_mss_adjustment>1379</tcp_mss_adjustment>
      <dead_peer_detection>
        <interval>10</interval>
        <retries>3</retries>
      </dead_peer_detection>
    </ipsec>
  </ipsec_tunnel>
  <ipsec_tunnel>
    <customer_gateway>
      <tunnel_outside_address>
        <ip_address>xxx.xxx.xxx.xxx</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.42.226</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>65000</asn>
        <hold_time>30</hold_time>
      </bgp>
    </customer_gateway>
    <vpn_gateway>
      <tunnel_outside_address>
        <ip_address>xxx.xxx.xxx.xxx</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.42.225</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>64512</asn>
        <hold_time>30</hold_time>
      </bgp>
    </vpn_gateway>
    <ike>
      <authentication_protocol>sha1</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>28800</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>main</mode>
      <pre_shared_key>xxxxxxxxxxxxxxx</pre_shared_key>
    </ike>
    <ipsec>
      <protocol>esp</protocol>
      <authentication_protocol>hmac-sha1-96</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>3600</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>tunnel</mode>
      <clear_df_bit>true</clear_df_bit>
      <fragmentation_before_encryption>true</fragmentation_before_encryption>
      <tcp_mss_adjustment>1379</tcp_mss_adjustment>
      <dead_peer_detection>
        <interval>10</interval>
        <retries>3</retries>
      </dead_peer_detection>
    </ipsec>
  </ipsec_tunnel>
</vpn_connection>



This thread was automatically locked due to age.
  • Hallo Carsten and welcome to the UTM Community!

    It's been over a year since I configured a VPN tunnel between our AWS instance and my lab UTM, but I don't recall having a problem importing the config from AWS and having it work.  What error do you see?  Why would you want to modify this file?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have not a problem with importing the file. I just want to use a stronger encryption than aes128 and sha1 truncated. But then the problem is, that all those crypto names are non standard. I have seen at least 4 totally different naming conventions for the same things. But no where a documentation what the xml file needs. IANA names? Strongswan namings from 10 years ago? Some random guess based on the Sophos UTM handbook?

  • You have to configure those things in the AWS setup, Carsten.   If the IPsec Policy you want is not already available for use in the UTM, you can create it on the 'IPsec Policy' tab.  Have I correctly understood the issue?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ok, solution as good as i could get it.

    It looks like the names are from a very old version of https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

    sha2_512 and sha2_384 is not available, dh groups above 16 is not in the manual so i have not tested them, and ike v2 is not possible at all.

    I am open for improvement if possible.

    Config Part:

        <ike>
          <authentication_protocol>sha2</authentication_protocol>
          <encryption_protocol>aes-256-cbc</encryption_protocol>
          <lifetime>28800</lifetime>
          <perfect_forward_secrecy>group16</perfect_forward_secrecy>
          <mode>main</mode>
          <pre_shared_key>xxxxxxxxxxxxxxx 64 chars xxxxxxxxxxxxxxxxx</pre_shared_key>
        </ike>
        <ipsec>
          <protocol>esp</protocol>
          <authentication_protocol>sha2</authentication_protocol>
          <encryption_protocol>aes-256-cbc</encryption_protocol>
          <lifetime>3600</lifetime>
          <perfect_forward_secrecy>group16</perfect_forward_secrecy>

    AWS VPN Config

    Sophos Status Page