This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems setting up BGP on Sophos UTM 9 for AWS VPN with dynamic routing

Hi,

I'm in the process of connecting our Sophos UTM 9 to an AWS VPN with dynamic routing enabled. As I understand the process, this requires us to enable BGP on the UTM. I'm now facing two problems:

  • I lack any kind of experience with BGP and how to use it. Reading some google results gave me a basic understanding but not enough to set this up.
  • As I understand BGP, we require a 'neighbor' router of our ISP and an ASN (also provided by our ISP). Unfortunately our ISP doesn't provide this.

So here my questions:

  • Is there a way to configure a dummy neighbor so that I can enable BGP?
  • Is it possible to just connect to the AWS VPN without BGP enabled and then just manually add some routes?

Thanks,

Thomas.



This thread was automatically locked due to age.
  • Are you sure you don't just want to setup an Amazon VPC?  WebAdmin and AWS do all the yucky BGP stuff then - check out the Help for the 'Setup' tab in 'Site-to-Site VPN >> Amazon VPC'.  Why did you conclude that the approach you're pursuing is the correct one?  I'm not saying it isn't...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'm totally not sure if this is the right way. My reasons were:

    • My understanding of the BGP setup is, that it auto configures all necessary routes on both sides. This sounds like a good thing to have.
    • This BGP setup allows me to download a turnkey configuration for the UTM-9. The other AWS configuration options for VPNs don't offer this.

    All I need is a simple site-to-site connection and I'm open to suggestion on how to do this properly.

    Regards,

    Thomas

  • It does sound like you want to use the 'Amazon VPC' option, and that doesn't require you to setup BGP separately.  Using a standard Site-to-Site IPsec connection would require you configure BGP manually.  I know that's been done, so if that's the route you want to take,  try a Google on:

    site:community.sophos.com/products/unified-threat-management/f/vpn-site-to-site-and-remote-access BGP VPC IPsec

    BGP capability had to be added to the UTM to facilitate the redundant tunnel to a VPC, so they made it so that BGP could be used for other things.  One of my clients uses it and doesn't touch AWS.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • There is no need to setup BGP or to even turn in on globally for the Sophos just for AWS VPN. When you configure your VPC for a VPN you specify both a Customer Gateway (your side) and a Virtual Private Gateway (AWS side). You must select Dynamic Routing (BGP) within the AWS console in order to have the option to download a specific configuration for a Sophos UTM 9. Then you just import that into the Sophos and your done.

    If you open up the configuration file that AWS provides you can see the specific BGP configuration but you wont see it any place else on the Sophos. You can see the results of the final routing by looking at the routing tables (Support > Advanced > Routing Table). On my Sophos I have two separate AWS VPN connections from two separate VPC's and the interfaces used by the AWS VPN are clearly indicated as vpc#.#; for example, vpc0.0, vpc0.1, vpc1.0, and vpc1.1 for my two tunnels.

    A word of caution related to BGP ASN's. I have a routing issue now on my Sophos that looks like it may have been caused by using one of the same Virtual Private Gateways (and same ASN) to connect to Google Cloud. The result is that I see two routes going through the same vpc1.0. Below, 10.30.0.0 is NOT setup on my Sophos so I suspect that it was propagated via BGP back to my Sophos by AWS. The end result is that the Sophos cannot get to 172.31.0.0 (but all of my office clients can). This would not be an issue except that I need the Sophos to connect to 172.31.0.0/16 to send DNS Requests to my own unbound server to resolve ec2.internal addresses via Sophos DNS Request Routing. 

    • 10.30.0.0 169.254.45.133 255.255.0.0 UG 0 0 0 vpc1.0
    • 172.31.0.0 169.254.45.133 255.255.0.0 UG 0 0 0 vpc1.0

    If your not connecting the same Virtual Private Gateway to multiple environments then you likely wont need to concern yourself with BGP ASN numbers and just let AWS provide the default ASN.