Setup Site to Site VPN from AWS VPC to Sophos UTM

From Bonus Bits
Jump to: navigation, search

Purpose

This article gives the steps to setup a Site to Site VPN Connection from Amazon Web Services VPC to a Sophos UTM device at an office. I this example I used the software version (VM) of UTM version 9.401-11.


Prerequisites

  • AWS Account
  • UTM device setup (software or hardware)
  • Permissions to create VPN and edit route tables in AWS
  • Permissions in UTM to setup Site-to-site VPN


Manual AWS Configurations (Option 1)

Create Virtual Private Gateway (AWS)

  1. Browse to VPC Dashboard | Virtual Private Gateways | Create Virtual Private Gateway
  2. Enter descriptive name tag
    1. Example: dev-vpc
  3. Select Yes, Create
  4. Right-Click the new VPG and select Attach to VPC
  5. Select the VPC ID
  6. Select Yes, Attach


Create Customer Gateway (AWS)

  1. Browse to VPC Dashboard | Customer Gateways | Create Virtual Customer Gateway
  2. Enter descriptive name tag
    1. Example: office-utm
  3. Select Dynamic Routing
  4. Enter External WAN IP Address of the UTM device
  5. Enter random BGP ASN between 64512-65534
    1. Example: 65000


Create VPN Connection (AWS)

  1. Browse to VPC Dashboard | VPN Connections | Create VPN Connection
  2. Enter descriptive name tag
    1. Example: office-to-dev
  3. Select the Virtual Private Gateway and Customer Gateway
  4. Select Dynamic Routing Options
  5. Select Yes, Create


Enable Route Propagation on Private Route Table (AWS)

  1. Browse to VPC Dashboard
  2. Select Route Tables
  3. Select the Private Route Table
  4. Select Route Propagation | Edit
  5. Check box under Propagate next to the new VPG


Create/Edit VPN Access Security Group (AWS)

  1. Browse to VPC Dashboard or EC2 Dashboard
  2. Select Security Groups | Create Security Group
  3. Enter descriptive name tag, Group name and Description
    1. Example: office-vpn-access
  4. Select VPC ID
  5. Select Yes, Create
  6. Select Inbound Rules | Edit
  7. Select ALL Traffic Type
  8. Enter IP Range of office using CIDR notation
    1. Example: 192.168.100.0/24
  9. Select Save


Add Security Group to Instances (AWS)

Now add the new VPN access Security Group to each instance you want to allow access to over VPN.

  1. Browse to EC2 Dashboard
  2. Select instances individually
  3. Select Actions | Networking | Change Security Group
  4. Check the box next to the new security group
  5. Select Assign Security Groups


Allow Office Traffic on Private Network ACL (AWS)

If the private network ACL is locked down for inbound traffic you'll need to create a rule to allow traffic from the office network/s.

  1. Browse to VPC Dashboard | Network ACLs
  2. Select Private Network ACL
  3. Select Inbound Rules | Edit
  4. Add rule All Traffic for the Office IP CIDR Block
    1. Example: 192.168.100.0/24


Cloudformation AWS Configuration (Option 2)

I have wrote a AWS CloudFormation template that will setup a VPN as described above on an existing VPC. If you want a new VPC I have a template for that as well.

VPN Template

https://github.com/stelligent/cloudformation_templates/blob/master/infrastructure/vpn/vpn-bgp.template

VPC Template

https://github.com/stelligent/cloudformation_templates/blob/master/infrastructure/vpc/vpc.template


Final Configurations

Download VPN Configuration File (AWS)

  1. Browse to VPC Dashboard | VPN Connections
  2. Right-Click the new VPN Connection
  3. Select Download Configuration
  4. Select Vendor | Sophos
  5. Select Platform | UTM
  6. Select V9
  7. Select Yes, Download


Capture BGP Addresses for AWS

  1. Open the configuration XML file you downloaded
  2. Look for two vpn_gateway sections with external IP addresses that are not your UTM device.
    <vpn_gateway>
          <tunnel_outside_address>
            <ip_address>52.1.179.146</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>169.254.44.53</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>7224</asn>
            <hold_time>30</hold_time>
          </bgp>
        </vpn_gateway>
    
    <vpn_gateway>
          <tunnel_outside_address>
            <ip_address>52.72.41.196</ip_address>
          </tunnel_outside_address>
          <tunnel_inside_address>
            <ip_address>169.254.44.141</ip_address>
            <network_mask>255.255.255.252</network_mask>
            <network_cidr>30</network_cidr>
          </tunnel_inside_address>
          <bgp>
            <asn>7224</asn>
            <hold_time>30</hold_time>
          </bgp>
        </vpn_gateway>
    
    52.1.179.146 and 52.72.41.196


Create BGP Neighbors (UTM)

Create two BGP neighbors with the above IP addresses found in the XML configuration file.

  1. Browse to Interfaces and Routing | Border Gateway Protocol | Neighbor
  2. Select New BGP Neighbor...
  3. Enter name
    1. Example: aws-dev-vpn-bgp01
  4. Select + to create a host definition for the first IP address
  5. Enter name
    1. Example: aws-dev-vpn-bgp01
  6. Select Save
  7. Enter Remote ASN found in the XML Configuration File.
    1. Example: 7224
  8. Select Save
  9. Repeat for second BGP IP address.


Enable BGP (UTM)

  1. Browse to Interfaces and Routing | Border Gateway Protocol | Global
  2. Toggle the enable icon in upper right to on
  3. Enter 65000 for AS Number
  4. Enter your WAN IP Address as Router ID
    1. Under Interfaces and Routing | Interfaces | WAN?
    2. Or Google What's my ip
  5. Add WAN (Network) to Networks
  6. Add LAN (Network) to Networks
  7. Select Apply


Add Firewall Rules to Allow AWS VPC to Office (UTM)

  1. Browse to Network Protection | Firewall
  2. Select New Rule
  3. Add the two BGP Host definitions created above as Sources
    1. "Example:' aws-dev-vpn-bgp01 and aws-dev-vpn-bgp02
  4. Create new Host Definition for the VPC IP Range
    1. Example: aws-dev-vpc - 10.10.0.0/16
  5. Select Any for Services
  6. Select LAN (Network) for Destinations


Add LAN Route Propagation (UTM)

  1. Browse to Site-to-Site VPN | Amazon VPC | Setup | Route Propagation
  2. Remove Any
  3. Add LAN (Network) for Destinations


Upload VPN Configuration File (UTM)

  1. Browse to Site-to-Site VPN | Amazon VPC | Setup
  2. Under Import Via Amazon VPC Configuration | VPC config file: Click the yellow folder
  3. Browse to download configuration and select
  4. Select Start Upload
  5. Select Apply


Check Status (UTM+AWS)

UTM

  1. Browse to Site-to-Site VPN

Aws-vpc-vpn-to-utm01

AWS

  1. Browse to VPC Dashboard | VPN Connections
  2. Select new VPN Connection
  3. Select Tunnel Details

Aws-vpc-vpn-to-utm02


Remote Connection Test

The final test is remote connecting to an instance in the VPC that is in the new VPN security group.

  1. Ping, SSH, RDP, HTTP, HTTPS etc.
  2. From office to private IP address of instance.


Sources