This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BGP configuration with IPsec VPN Sophos with AWS

I need a help on how to configure BGP on sophos XG v17.5, IPsec site-to-site VPN has been established betwwen sophos and AWS but the BGP neighborship between AWS and Sophos status still show down



This thread was automatically locked due to age.
Parents
  • You could move to V18 and use VTI/Route based VPN. 

    __________________________________________________________________________________________________________________

  • Can you share a thread on this Route Based VPN

  • Route Based VPN is a other way of using IPsec. Its supported in V18. https://www.youtube.com/watch?v=o4NB1nHBOsE&ab_channel=SophosSupport

    Azure and AWS VPN Gateways use this kind of technology to build up VPN tunnels. So you could use it to build up the IPsec to them. 

    Therefore you do not need to setup a GRE Tunnel, as VTIs will provide a XFRM (Virtual Interface) for you. This XFRM Interface can be used to bind BGP. 

    I have done this with Azure VPN, i guess ,this is most likely the same on AWS VPN. Its very easy to build, if you know how BGP works. 

    __________________________________________________________________________________________________________________

  • I have little understanding about BGP i dont know if you can help me out here.

    I have my XG on v18 now, I have established the IPsec Tunnel and i have the XFRM interface

    I have configured it with the BGP but the status on AWS still shows Down and from the BGP information on Sophos the neighbor status shows idle.

    See attached screenshots of the configurations done.

    Kindly assist Lucar

  • This will be complicate to explain, what to do. 

    So lets try it: 

    Check device access: VPN --> Dynamic Routing enabled? 

    Likely you got a IP and a AS from AWS, which you have to enter as a neighbor.Did you create a static route to this IP and used the XFRM Interface?  

    You have a neighbor of 80.5. This is your XFRM Interface. Are you sure, this is correct? 

    __________________________________________________________________________________________________________________

  • Dynamic Routing is enabled

    i got IP and AS from AWS which i have configured below

    regarding the IP to use for the XFRM interface i am not sure of the parameters to be inserted thats why i used the neighbor IP, I need a clarification on this

Reply Children
  • Actually you could use some other IPs in the XFRM Tunnel. Simply use something, which is not used in your network. Your config is invalid, you need to change the XFRM Interface IPs. 

    Then create a static route to both neighbors, using the XFRM matching interface. 

    __________________________________________________________________________________________________________________

  • The static route not accepted because the neighbors are seen as a link-local address 169.254.80.5

    and moreover is static route needed?

    Isn't that what BGP route is meant to achieve

  • You cannot create a BGP Neighbor, if you do not know, where your neighbor is. If you do not specify the route to the neighbor, XG will send this traffic via Default Gateway. That is a Network issue. Are you sure, this BGP Configuration is correct? 

    You are using DirectConnect. 

    aws.amazon.com/.../

    Seems like you can specify a own IP, if you want. If you do not do that, you get this Link Local address. You could use 169.254.0.0 /16. That seems fine. Or try to use bigger networks. 

    __________________________________________________________________________________________________________________

  • Hi

    I will like to share the config file with you so that we can be on the same page

    <?xml version="1.0" encoding="UTF-8"?><!--Amazon Virtual Private Cloud Configuration

    To configure this VPN, go to the WebAdmin for your security gateway. Click "Site-to-site VPN",
    then click "Amazon VPC". On the "Setup" tab, locate the "Import via Amazon VPC configuration"
    section, then select this file and click "Apply".

    XSL Version: 2009-07-15-1119716--><vpn_connection id="vpn-0f2dc11daafa249b0">
      <customer_gateway_id>cgw-0ac0f72ed2a243099</customer_gateway_id>
      <vpn_gateway_id>vgw-09183c2bbf93544db</vpn_gateway_id>
      <vpn_connection_type>ipsec.1</vpn_connection_type>
      <ipsec_tunnel>
        <customer_gateway>
          <tunnel_outside_address>
            <ip_address>52.255.172.72</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>169.254.80.6</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>65002</asn>
            <hold_time>30</hold_time>
          </bgp>
        </customer_gateway>
        <vpn_gateway>
          <tunnel_outside_address>
            <ip_address>13.59.85.182</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>169.254.80.5</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>65358</asn>
            <hold_time>30</hold_time>
          </bgp>
        </vpn_gateway>
        <ike>
          <authentication_protocol>sha1</authentication_protocol>
          <encryption_protocol>aes-128-cbc</encryption_protocol>
          <lifetime>28800</lifetime>
          <perfect_forward_secrecy>group2</perfect_forward_secrecy>
          <mode>main</mode>
          <pre_shared_key>Mj_HiX1z9qSjE4IpPF5gKKsX5rUWZGo9</pre_shared_key>
        </ike>
        <ipsec>
          <protocol>esp</protocol>
          <authentication_protocol>hmac-sha1-96</authentication_protocol>
          <encryption_protocol>aes-128-cbc</encryption_protocol>
          <lifetime>3600</lifetime>
          <perfect_forward_secrecy>group2</perfect_forward_secrecy>
          <mode>tunnel</mode>
          <clear_df_bit>true</clear_df_bit>
          <fragmentation_before_encryption>true</fragmentation_before_encryption>
          <tcp_mss_adjustment>1379</tcp_mss_adjustment>
          <dead_peer_detection>
            <interval>10</interval>
            <retries>3</retries>
          </dead_peer_detection>
        </ipsec>
      </ipsec_tunnel>
      <ipsec_tunnel>
        <customer_gateway>
          <tunnel_outside_address>
            <ip_address>52.255.172.72</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>169.254.145.18</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>65002</asn>
            <hold_time>30</hold_time>
          </bgp>
        </customer_gateway>
        <vpn_gateway>
          <tunnel_outside_address>
            <ip_address>18.188.16.128</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>169.254.145.17</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>65358</asn>
            <hold_time>30</hold_time>
          </bgp>
        </vpn_gateway>
        <ike>
          <authentication_protocol>sha1</authentication_protocol>
          <encryption_protocol>aes-128-cbc</encryption_protocol>
          <lifetime>28800</lifetime>
          <perfect_forward_secrecy>group2</perfect_forward_secrecy>
          <mode>main</mode>
          <pre_shared_key>rlJorobXBnatH0Po06anqli7dEoiBsLI</pre_shared_key>
        </ike>
        <ipsec>
          <protocol>esp</protocol>
          <authentication_protocol>hmac-sha1-96</authentication_protocol>
          <encryption_protocol>aes-128-cbc</encryption_protocol>
          <lifetime>3600</lifetime>
          <perfect_forward_secrecy>group2</perfect_forward_secrecy>
          <mode>tunnel</mode>
          <clear_df_bit>true</clear_df_bit>
          <fragmentation_before_encryption>true</fragmentation_before_encryption>
          <tcp_mss_adjustment>1379</tcp_mss_adjustment>
          <dead_peer_detection>
            <interval>10</interval>
            <retries>3</retries>
          </dead_peer_detection>
        </ipsec>
      </ipsec_tunnel>
    </vpn_connection>

  • Try to create a Static route with a bigger network and route this to the XFRM Interface. 

    This could actually work. 

    __________________________________________________________________________________________________________________