Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
You can download and import the sample files for your AWS VPN to a Sophos UTM.
AWS does provide the ability to change the encryption settings. https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html
I want to modify the config file in such a way that when I import it it just works. But i can not find any documentation for the XML file.
Where is the translation of the supported policys https://docs.sophos.com/nsg/sophos-utm/utm-on-aws/9.703/pdf/en-us/manual-en.pdf (Page 401) to the names needed in the XML? From the debug log I have tried to guess some values, but I think these do mostly not work.
This is my file and i need valid values for: authentication_protocol, encryption_protocol and perfect_forward_secrecy.
And does Sophos UTM 9 (9.705) support IKEv2 at all?
<?xml version="1.0" encoding="UTF-8"?><!--Amazon Virtual Private Cloud ConfigurationTo configure this VPN, go to the WebAdmin for your security gateway. Click "Site-to-site VPN",then click "Amazon VPC". On the "Setup" tab, locate the "Import via Amazon VPC configuration"section, then select this file and click "Apply".
XSL Version: 2009-07-15-1119716--><vpn_connection id="vpn-xxxxxxxx"> <customer_gateway_id>cgw-xxxxxxxx</customer_gateway_id> <vpn_gateway_id>vgw-xxxxxxxx</vpn_gateway_id> <vpn_connection_type>ipsec.1</vpn_connection_type> <ipsec_tunnel> <customer_gateway> <tunnel_outside_address> <ip_address>xxx.xxx.xxx.xxx</ip_address> </tunnel_outside_address> <tunnel_inside_address> <ip_address>169.254.40.6</ip_address> <network_mask>255.255.255.252</network_mask> <network_cidr>30</network_cidr> </tunnel_inside_address> <bgp> <asn>65000</asn> <hold_time>30</hold_time> </bgp> </customer_gateway> <vpn_gateway> <tunnel_outside_address> <ip_address>xxx.xxx.xxx.xxx</ip_address> </tunnel_outside_address> <tunnel_inside_address> <ip_address>169.254.40.5</ip_address> <network_mask>255.255.255.252</network_mask> <network_cidr>30</network_cidr> </tunnel_inside_address> <bgp> <asn>64512</asn> <hold_time>30</hold_time> </bgp> </vpn_gateway> <ike> <authentication_protocol>sha2-512,hmac-sha2-512</authentication_protocol> <encryption_protocol>aes-256,aes-256-cbc,aes-256-gcm</encryption_protocol> <lifetime>28800</lifetime> <perfect_forward_secrecy>group14,group15,group16</perfect_forward_secrecy> <mode>main</mode> <pre_shared_key>xxxxxxxxxxxxxxxx</pre_shared_key> </ike> <ipsec> <protocol>esp</protocol> <authentication_protocol>sha2-512,hmac-sha2-512</authentication_protocol> <encryption_protocol>aes-256,aes-256-cbc,aes-256-gcm</encryption_protocol> <lifetime>3600</lifetime> <perfect_forward_secrecy>group14,group15,group16</perfect_forward_secrecy> <mode>tunnel</mode> <clear_df_bit>true</clear_df_bit> <fragmentation_before_encryption>true</fragmentation_before_encryption> <tcp_mss_adjustment>1379</tcp_mss_adjustment> <dead_peer_detection> <interval>10</interval> <retries>3</retries> </dead_peer_detection> </ipsec> </ipsec_tunnel> <ipsec_tunnel> <customer_gateway> <tunnel_outside_address> <ip_address>xxx.xxx.xxx.xxx</ip_address> </tunnel_outside_address> <tunnel_inside_address> <ip_address>169.254.42.226</ip_address> <network_mask>255.255.255.252</network_mask> <network_cidr>30</network_cidr> </tunnel_inside_address> <bgp> <asn>65000</asn> <hold_time>30</hold_time> </bgp> </customer_gateway> <vpn_gateway> <tunnel_outside_address> <ip_address>xxx.xxx.xxx.xxx</ip_address> </tunnel_outside_address> <tunnel_inside_address> <ip_address>169.254.42.225</ip_address> <network_mask>255.255.255.252</network_mask> <network_cidr>30</network_cidr> </tunnel_inside_address> <bgp> <asn>64512</asn> <hold_time>30</hold_time> </bgp> </vpn_gateway> <ike> <authentication_protocol>sha1</authentication_protocol> <encryption_protocol>aes-128-cbc</encryption_protocol> <lifetime>28800</lifetime> <perfect_forward_secrecy>group2</perfect_forward_secrecy> <mode>main</mode> <pre_shared_key>xxxxxxxxxxxxxxx</pre_shared_key> </ike> <ipsec> <protocol>esp</protocol> <authentication_protocol>hmac-sha1-96</authentication_protocol> <encryption_protocol>aes-128-cbc</encryption_protocol> <lifetime>3600</lifetime> <perfect_forward_secrecy>group2</perfect_forward_secrecy> <mode>tunnel</mode> <clear_df_bit>true</clear_df_bit> <fragmentation_before_encryption>true</fragmentation_before_encryption> <tcp_mss_adjustment>1379</tcp_mss_adjustment> <dead_peer_detection> <interval>10</interval> <retries>3</retries> </dead_peer_detection> </ipsec> </ipsec_tunnel></vpn_connection>