1. The purpose of the article
In this article techbast will show you how to configure IPSec VPN Site to site between Sophos Firewall device and AWS.
- The internet connection is connected at Port A5 of Sophos Firewall device with IP 42.117.x.x.
- The LAN network of the Sophos Firewall device is configured at Port 1 with IP 10.84.0.0/16 and has DHCP configured to allocate to devices connected to it..
- AWS has a WAN IP of 188.8.131.52.
- In the LAN, there is a Linux server with IP 172.31.42.255/20.
Based on the above diagram, we will configure the IPSec VPN Site to site between Sophos Firewall and AWS so that both LANs of the two parties can communicate with each other.
4. What to do
- Create AWS Customer Gateway.
- Create Virtual Private Gateway.
- Create Site-to-site VPN connection.
- Create route.
- Download the VPN configuration file and gather the necessary information.
- Create profile for Local and Remote subnet.
- Create IPSec policies.
- Create IPSec connection.
- Create a policy to allow traffic between 2 zones LAN and VPN.
- Configure the xfrm tunnel interface port.
- Create Route.
Kiểm tra kết quả.
5.1.1. Create AWS Customer Gateway
Sign in to the AWS Portal site with an administrative account.
Click Services and select VPC.
Select your VPC at Filter by VPC, this is the VPC you will use to configure IPSec VPN.
Go to VIRTUAL PRIVATE NETWORK (VPN) > Customer Gateways > Click Create Customer Gateway.
Create Customer Gateways with the following parameters:
- Name: Sophos Firewall.
- Routing: Static.
- IP Address: Enter Sophos WAN IP as 42.117.x.x.
- Click Create Customer Gateway to create.
5.1.2. Create Virtual Private Gateway
Go to VIRTUAL PRIVATE NETWORK > Virtual Private Gateways > Click Create Virtual Private Gateway.
Create a Virtual Private Gateway with the following parameters:
- Name tag: VPG-SophosComunity.
- ASN: Amazon default ASN.
- Click Create Virtual Private Gateway.
Next we will add the newly created Virtual Private Gateways to the VPC.
To Add select the newly created Virtual Private Gateways > click Action > Attach to VPC.
Select the VPC that we filtered at the Customer Gateways creation step and click Yes, Attach to complete.
Virtual Private Network has been successfully added to VPC.
5.1.3. Create Site-to-site VPN Connection.
Go to VIRTUAL PRIVATE NETWORK (VPN) > Site-to-Site VPN Connection > click Create VPN Connection.
Create with the following information:
- Name tag: S2S-AWS-to-Sophos.
- Target Gateway Type: select Virtual Private Gateway.
- Virtual Private Gateway *: Select the Virtual Private Gateways just created in the above step.
- Customer Gateway: select Existing.
- Customer Gateway ID *: select the Customer Gateway just created in the previous step.
- Routing Option: Static.
- Static IP Prefixes: Sophos LAN class input is 10.84.0.0/16.
- Local IPv4 Network Cidr: type 10.84.0.0/16.
- Remote IPv4 Network Cidr: enter AWS local network class as 172.31.32.0/20.
- Click Create VPN Connection.
5.1.4. Create route
We need to create a static route to route the Sophos network subnet through the Virtual Gateway.
To create in VIRTUAL PRIVATE CLOUD > Route Tables > check existing route tables > go to Route tab > click Edit Route > click Add route.
Add with the following parameters:
- Destination: 10.84.0.0/16.
- Target: select Virtual Gateway just created.
- Click Save changes.
5.1.5. Download the VPN configuration file and gather the necessary information.
After creating VPN Connection, we will select the VPN Connection we just created and click Download Configuration.
Select the following information to download the configuration file:
- Vendor: Generic.
- Platform: Generic.
- Software: Vendor Agnostic.
- Ike Version: ikev2.
We turn on the configuration file we just downloaded, we will have the following information.
Phase 1 and Phase 2 of the IPSec connection..
Information about AWS and Sophos WAN IPs.
- IP WAN AWS: 184.108.40.206.
- IP WAN Sophos: 42.117.x.x.
Information about IP 2 tunnel port of IPSec VPN connection.
- IP tunnel in Sophos: 169.254.164.194/30.
- IP tunnel in AWS: 169.254.164.193/30.
MTU and MSS parameters of 2 tunnel ports.
- MTU: 1436 bytes.
- MSS: 1379 bytes.
5.2. Sophos Firewall
5.2.1. Create profile for Local and Remote subnet.
We will create profiles for Local and Remote subnet.
To create, go to SYSTEM > Hosts and Services > IP Host > click Add.
Create a profile for the Local subnet with the following parameters:
- Name*: 10.84.0.0/16.
- IP version*: IPv4.
- Type*: Network.
- IP address*: 10.84.0.0 Subnet /16[255.255.0.0]
- Click Save.
Similar to the above steps, we will create a profile for the Remote subnet according to the following parameters:
IP version*: IPv4.
IP address*: 172.31.32.0 Subnet /20[255.255.240.0]
5.2.2. Create IPSec Policies
To create VPN > IPSec Policies > click Add.
Use the parameters collected from step 5.1.4 to create the corresponding IPSec Policies.
Create with the following parameters:
- Name: AWS.
- Key Exchange: IKEv2.
- Key life: 28800.
- DH group: 2 [DH1024].
- Encryption: AES128.
- Authentication: SHA1.
- PFS group [DH group]: Same as phase-I.
- Key life: 3600.
- Encryption: AES128.
- Authentication: SHA1.
5.2.3. Create IPSec connection
To create us go to CONFIGURE > VPN > IPSec connections > click Add.
In General we configure with the following parameters:
- Name: S2S_Sophos_to_AWS.
- IP version: IPv4.
- Connection type: Tunnel interface.
- Gateway type: Initiate the connection.
- Active on save: uncheck.
- Create firewall rule: uncheck.
In Encryption we configure with the following parameters:
- Policy: select AWS.
- Authentication type: select Preshared key.
- Preshared key: enter the preshared key collected from step 5.1.4.
- Repeat preshared key: re-enter the preshared key.
In Gateway settings we configure the following parameters:
- Listening interface: select PortA5 – 42.117.x.x.
- Local ID type: select IP address.
- Local ID: enter 42.117.x.x.
- Gateway address: enter IP WAN của AWS là 220.127.116.11.
- Remote ID type: select IP address.
- Remote ID: type 18.104.22.168.
After clicking Save, the IPSec connection will be created as shown below.
However, this connection is still not enabled, to turn it on, click the circle icon in the Active column and click OK.
Now the circle icon in the Active column turns green, which means that the connection has been successfully turned on.
Because the Sophos Firewall device is the device that actively creates a VPN connection to AWS, the dot in the Connection column will automatically turn green, which means that an IPSec VPN connection between the two sites has been established.
5.2.3. Create a policy to allow traffic between 2 zones LAN and VPN.
By default, the firewall will block all traffic between zones.
So we need to create a policy to allow traffic to go back and forth between the LAN and VPN zones.
To create, go to PROTECT > Rules and policies > Add firewall rule and create a policy as shown below.
5.2.4. Configure xfrm tunnel interface.
When the IPSec VPN has been created by tunnel interface, the device will automatically set up a port called xfrm tunnel interface.
We will configure this port’s parameters according to the IP, MTU, and MSS collected from step 5.1.4.
The configuration parameters are as follows:
- IPv4/netmask *: 169.254.164.194 – /30 [255.255.255.252].
- MTU: 1436.
- Override MSS: 1379.
5.2.5. Create route
We will create a static route to route the AWS network subnet 172.31.32.0/20 through the xfrm tunnel interface.
To create it, go to Routing > Static Routing > click Add.
Create according to the following parameters:
- Destination IP / Netmask *: Enter AWS LAN class as 172.31.32.0 – /20 [255.255.240.0].
- Interface: select port xfrm3-169.254.164.194
- Click Save.
Go to AWS portal > Virtual Private Network (VPN) > Site-to-Site VPN Connections.
At VPN Connection > Tunnel Details > make sure the tunnel’s status is UP.
Techbast will use the Linux server at AWS to ping the LAN IP of Sophos 10.84.2.14/16 to test the connection.
Ping result from Linux server to Sophos LAN IP machine.
Successful ping result.