Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 5038 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to write/modify AWS VPN Config files for Sophos UTM?

Carsten Kirschner

You can download and import the sample files for your AWS VPN to a Sophos UTM.

AWS does provide the ability to change the encryption settings. https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html

I want to modify the config file in such a way that when I import it it just works. But i can not find any documentation for the XML file.

Where is the translation of the supported policys https://docs.sophos.com/nsg/sophos-utm/utm-on-aws/9.703/pdf/en-us/manual-en.pdf (Page 401) to the names needed in the XML? From the debug log I have tried to guess some values, but I think these do mostly not work.

This is my file and i need valid values for: authentication_protocol, encryption_protocol and perfect_forward_secrecy.

And does Sophos UTM 9 (9.705) support IKEv2 at all?

<?xml version="1.0" encoding="UTF-8"?><!--Amazon Virtual Private Cloud Configuration

To configure this VPN, go to the WebAdmin for your security gateway. Click "Site-to-site VPN",
then click "Amazon VPC". On the "Setup" tab, locate the "Import via Amazon VPC configuration"
section, then select this file and click "Apply".

XSL Version: 2009-07-15-1119716--><vpn_connection id="vpn-xxxxxxxx">
  <customer_gateway_id>cgw-xxxxxxxx</customer_gateway_id>
  <vpn_gateway_id>vgw-xxxxxxxx</vpn_gateway_id>
  <vpn_connection_type>ipsec.1</vpn_connection_type>
  <ipsec_tunnel>
    <customer_gateway>
      <tunnel_outside_address>
        <ip_address>xxx.xxx.xxx.xxx</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.40.6</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>65000</asn>
        <hold_time>30</hold_time>
      </bgp>
    </customer_gateway>
    <vpn_gateway>
      <tunnel_outside_address>
        <ip_address>xxx.xxx.xxx.xxx</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.40.5</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>64512</asn>
        <hold_time>30</hold_time>
      </bgp>
    </vpn_gateway>
    <ike>
      <authentication_protocol>sha2-512,hmac-sha2-512</authentication_protocol>
      <encryption_protocol>aes-256,aes-256-cbc,aes-256-gcm</encryption_protocol>
      <lifetime>28800</lifetime>
      <perfect_forward_secrecy>group14,group15,group16</perfect_forward_secrecy>
      <mode>main</mode>
      <pre_shared_key>xxxxxxxxxxxxxxxx</pre_shared_key>
    </ike>
    <ipsec>
      <protocol>esp</protocol>
      <authentication_protocol>sha2-512,hmac-sha2-512</authentication_protocol>
      <encryption_protocol>aes-256,aes-256-cbc,aes-256-gcm</encryption_protocol>
      <lifetime>3600</lifetime>
      <perfect_forward_secrecy>group14,group15,group16</perfect_forward_secrecy>
      <mode>tunnel</mode>
      <clear_df_bit>true</clear_df_bit>
      <fragmentation_before_encryption>true</fragmentation_before_encryption>
      <tcp_mss_adjustment>1379</tcp_mss_adjustment>
      <dead_peer_detection>
        <interval>10</interval>
        <retries>3</retries>
      </dead_peer_detection>
    </ipsec>
  </ipsec_tunnel>
  <ipsec_tunnel>
    <customer_gateway>
      <tunnel_outside_address>
        <ip_address>xxx.xxx.xxx.xxx</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.42.226</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>65000</asn>
        <hold_time>30</hold_time>
      </bgp>
    </customer_gateway>
    <vpn_gateway>
      <tunnel_outside_address>
        <ip_address>xxx.xxx.xxx.xxx</ip_address>
      </tunnel_outside_address>
      <tunnel_inside_address>
        <ip_address>169.254.42.225</ip_address>
        <network_mask>255.255.255.252</network_mask>
        <network_cidr>30</network_cidr>
      </tunnel_inside_address>
      <bgp>
        <asn>64512</asn>
        <hold_time>30</hold_time>
      </bgp>
    </vpn_gateway>
    <ike>
      <authentication_protocol>sha1</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>28800</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>main</mode>
      <pre_shared_key>xxxxxxxxxxxxxxx</pre_shared_key>
    </ike>
    <ipsec>
      <protocol>esp</protocol>
      <authentication_protocol>hmac-sha1-96</authentication_protocol>
      <encryption_protocol>aes-128-cbc</encryption_protocol>
      <lifetime>3600</lifetime>
      <perfect_forward_secrecy>group2</perfect_forward_secrecy>
      <mode>tunnel</mode>
      <clear_df_bit>true</clear_df_bit>
      <fragmentation_before_encryption>true</fragmentation_before_encryption>
      <tcp_mss_adjustment>1379</tcp_mss_adjustment>
      <dead_peer_detection>
        <interval>10</interval>
        <retries>3</retries>
      </dead_peer_detection>
    </ipsec>
  </ipsec_tunnel>
</vpn_connection>



This thread was automatically locked due to age.
Parents Reply Children
No Data
Unfiltered HTML