Sophos Utm Aws
Step-by-step guide
- Create VPN config file at AWS VPC Console
- Download File.
- Edit it to make it work with Sophos.
- Take a note of the IP addresses of the two VPN tunnels at AWS and create two BGP Neighbours.
- Add firewall rules to allow AWS network to access Sophos Internal network.
- Add Sophos UTM as firewall as BGP server and enable BGP service.
- Import AWS config file and enable tunnel.
- Enable internal network to access AWS security groups for servers.
- Test.
At the AWS end, go to Services, VPC, then:
1. Create VPN config file at AWS VPC Console
Create a Customer Gateway
Open the Amazon VPC console at by opening https://console.aws.amazon.com and then Select Networking and Content Delivery > VPC.
In the navigation pane, click Customer Gateways, and then click Create Customer Gateway.
In the Create Customer Gateway dialog box, complete the following and then click Yes, Create:
In the Name tag field, optionally enter a name for your customer gateway. Doing so creates a tag with a key of
Name
and the value that you specify.Select the routing type from the Routing list - Border Gateway Protocol (BGP) Autonomous System Number (ASN) in the BGP ASN field. use 65000, go to http://whatsmyip.org to discover your Customer Gateway IP address.

I did manage to create an HA with my Sophos UTM deployment on AWS. However, my UTM deployments always involved creating two ethernet interfaces for the setup. Outside or Public: Gets created with Elastic IP allocated to it. Inside: Need to create this interface using User data in auto scale.
To create a virtual private gateway
In the navigation pane, click Virtual Private Gateways, and then click Create Virtual Private Gateway.
You can optionally enter a name for your virtual private gateway, and then click Yes, Create.
Select the virtual private gateway that you created, and then click Attach to VPC.
In the Attach to VPC dialog box, select your VPC from the list, and then click Yes, Attach.
To enable instances in your VPC to reach your customer gateway, you must configure your route table to include the routes used by your VPN connection and point them to your virtual private gateway. You can enable route propagation for your route table to automatically propagate those routes to the table for you.
For static routing, the static IP prefixes that you specify for your VPN configuration are propagated to the route table after you've created the VPN connection. For dynamic routing, the BGP-advertised routes from your customer gateway are propagated to the route table when the status of the VPN connection is UP
.
- I've got an installation of Sophos UTM 9 connected to four AWS VPCs with Site-to-Site. I created Customer Gateways, Virtual Private Gateways and a Site-To-Site connection in each of the private VPCs. I then exported the configuration from AWS and imported into Sophos. So far so good - the tunnels are up.
- Outbound Gateway Protection from Sophos UTM on AWS. Read this white paper to learn how you can protect your Amazon WorkSpaces users from malware, and aid compliance with acceptable usage policies.
To enable route propagation
In the navigation pane, click Route Tables, and then select the route table that's associated with the subnet; by default, this is the main route table for the VPC.
On the Route Propagation tab in the details pane, click Edit, select the virtual private gateway that you created in the previous procedure, and then click Save.
Update Your Security Group to Enable Inbound Full Access for your internal network (192.168.0.0/24 in our case)
To add rules to your security group to enable inbound for your internal network:
In the navigation pane, click Security Groups, and then select the default security group for the VPC.
On the Inbound tab in the details pane, add:
Create a VPN Connection and Configure the Customer Gateway
To create a VPN connection and configure the customer gateway
In the navigation pane, click VPN Connections.
Click Create VPN Connection.
In the Create VPN Connection dialog box, do the following, and then click Yes, Create:
In the Name tag field, optionally enter a name for your VPN connection. Doing so creates a tag with a key of
Name
and the value that you specify.Select the virtual private gateway that you created earlier.
Select the customer gateway that you created earlier.
Select Border Gateway Protocol (BGP):
As your VPN router supports BGP, select Dynamic (requires BGP).
It may take a few minutes to create the VPN connection. When it's ready, select the connection, and then click Download Configuration.
In the Download Configuration dialog box, select the vendor, platform, and software that corresponds to your customer gateway device or software, and then click Yes, Download.
3. Edit file to make it work with Sophos.
Our file is below:
Make a note of the Tunnel Outside addresses at AWS end as we will need these to be our BGP neighbours - I have put them in blue.
Our external IP address is in red. You need to edit the file and change it (twice) to our internal firewall IP address - 192.168.0.254.
<?xml version='1.0' encoding='UTF-8'?><!--Amazon Virtual Private Cloud Configuration
To configure this VPN, go to the WebAdmin for your security gateway. Click 'Site-to-site VPN',
then click 'Amazon VPC'. On the 'Setup' tab, locate the 'Import via Amazon VPC configuration'
section, then select this file and click 'Apply'.
XSL Version: 2009-07-15-1119716--><vpn_connection>
<customer_gateway_id>cgw-madeupname</customer_gateway_id>
<vpn_gateway_id>vgw-madeupname</vpn_gateway_id>
<vpn_connection_type>ipsec.1</vpn_connection_type>
<ipsec_tunnel>
<customer_gateway>
<tunnel_outside_address>
<ip_address>123.123.123.123/ip_address>
</tunnel_outside_address>
<tunnel_inside_address>
<ip_address>169.254.255.89</ip_address>
<network_mask>255.255.255.252</network_mask>
<network_cidr>30</network_cidr>
</tunnel_inside_address>
<bgp>
<asn>65000</asn>
<hold_time>30</hold_time>
</bgp>
</customer_gateway>
<vpn_gateway>
<tunnel_outside_address>
<ip_address>50.50.50.50</ip_address>
</tunnel_outside_address>
<tunnel_inside_address>
<ip_address>169.254.255.88</ip_address>
<network_mask>255.255.255.252</network_mask>
<network_cidr>30</network_cidr>
</tunnel_inside_address>
<bgp>
<asn>7224</asn>
<hold_time>30</hold_time>
</bgp>
</vpn_gateway>
<ike>
<authentication_protocol>sha1</authentication_protocol>
<encryption_protocol>aes-128-cbc</encryption_protocol>
<lifetime>28800</lifetime>
<perfect_forward_secrecy>group2</perfect_forward_secrecy>
<mode>main</mode>
<pre_shared_key>FTta4BZ82qA4cooDgwDWmcpOv2MxSYtl</pre_shared_key>
</ike>
<ipsec>
<protocol>esp</protocol>
<authentication_protocol>hmac-sha1-96</authentication_protocol>
<encryption_protocol>aes-128-cbc</encryption_protocol>
<lifetime>3600</lifetime>
<perfect_forward_secrecy>group2</perfect_forward_secrecy>
<mode>tunnel</mode>
<clear_df_bit>true</clear_df_bit>
<fragmentation_before_encryption>true</fragmentation_before_encryption>
<tcp_mss_adjustment>1387</tcp_mss_adjustment>
<dead_peer_detection>
<interval>10</interval>
<retries>3</retries>
</dead_peer_detection>
</ipsec>
</ipsec_tunnel>
<ipsec_tunnel>
<customer_gateway>
<tunnel_outside_address>
<ip_address>123.123.123.123</ip_address>
</tunnel_outside_address>
<tunnel_inside_address>
<ip_address>169.254.255.87</ip_address>
<network_mask>255.255.255.252</network_mask>
<network_cidr>30</network_cidr>
</tunnel_inside_address>
<bgp>
<asn>65000</asn>
<hold_time>30</hold_time>
</bgp>
</customer_gateway>
<vpn_gateway>
<tunnel_outside_address>
<ip_address>50.50.50.49</ip_address>
</tunnel_outside_address>
<tunnel_inside_address>
<ip_address>169.254.255.86</ip_address>
<network_mask>255.255.255.252</network_mask>
<network_cidr>30</network_cidr>
</tunnel_inside_address>
<bgp>
<asn>7224</asn>
<hold_time>30</hold_time>
</bgp>
</vpn_gateway>
<ike>
<authentication_protocol>sha1</authentication_protocol>
<encryption_protocol>aes-128-cbc</encryption_protocol>
<lifetime>28800</lifetime>
<perfect_forward_secrecy>group2</perfect_forward_secrecy>
<mode>main</mode>
<pre_shared_key>_NTSKNZ9gGySZjVvBYeKJjUTzQ4lp_s3</pre_shared_key>
</ike>
<ipsec>
<protocol>esp</protocol>
<authentication_protocol>hmac-sha1-96</authentication_protocol>
<encryption_protocol>aes-128-cbc</encryption_protocol>
<lifetime>3600</lifetime>
<perfect_forward_secrecy>group2</perfect_forward_secrecy>
<mode>tunnel</mode>
<clear_df_bit>true</clear_df_bit>
<fragmentation_before_encryption>true</fragmentation_before_encryption>
<tcp_mss_adjustment>1387</tcp_mss_adjustment>
<dead_peer_detection>
<interval>10</interval>
<retries>3</retries>
</dead_peer_detection>
</ipsec>
</ipsec_tunnel>
</vpn_connection>
4. Take a note of the IP addresses of the two VPN tunnels at AWS and create two BGP Neighbours.
In our case 50.50.50.50 and 50.50.50.49 -
Logon to Sophos UTM > Interfaces & Routing > Border Gateway Protocol > Neighbour > New BGP Neighbour - create two BGP neighbours with AS or 65000 and IP addresses above.
5. Add firewall rules to allow AWS network to access Sophos Internal network.
Logon to Sophos UTM > Network Protection > New Rule
Where AWS1 and AWS2 are the newly defined BGP routers from Step 4 and AWS_VPC is VPC network - in our case 172.31.0.0/16 - found here:
https://console.aws.amazon.com/vpc/home?region=us-east-1#vpcs: (assuming you are in the same region)
6. Add Sophos UTM as firewall as BGP server and enable BGP service.
Logon to Sophos UTM > Interfaces & Routing > Border Gateway Protocol > in Global, select BGP System, add the AS number of 65000, router ID or 192.168.0.254 and add External (WAN) (Network) and Internal (Network) as the networks and enable BGP by turning on the big green button.
7. Import AWS config file and enable tunnel.
Take the config file you edited in step 3 > Logon to Sophos UTM > Site-to-Site VPN > Amazon VPC > Setup > Import via Amazon VPC configuration > Upload your file. Don't specify a remote network and click Apply. When you go to Status it should be green. It takes a few minutes to come up properly.
Notice BGP in the top (active) tunnel shows the route of the VPC subnet and uptime.
At the AWS end:
https://console.aws.amazon.com/vpc/home?region=us-east-1#vpns: (assuming you are in the same region)
Notice Tunnel 1 shows BGP is up and Link status is up - that means you are good to go. If it is not up, you need to do some troubleshooting.
8. Enable internal network to access AWS security groups for servers.
In the AWS Console, go to Services > EC2 and then security groups
To add rules to your security group to enable inbound for your internal network:
In the navigation pane, click Security Groups, and then select the default security group for the EC2 instances you have (and all Security Groups you want to allow VPN access).
On the Inbound tab in the details pane, add:
9. Test
You should now have a working Site-to-Site VPN between your Sophos UTM and AWS.
References
AWS: VPN VPN setup Guide
Sophos: KB120922:
Sophos Utm On Aws
AWS: VPN Tunnel Troubleshooting
- 3Manual AWS Configurations (Option 1)
- 4Cloudformation AWS Configuration (Option 2)
- 5Final Configurations
- 5.8Check Status (UTM+AWS)
Purpose
This article gives the steps to setup a Site to Site VPN Connection from Amazon Web Services VPC to a Sophos UTM device at an office. I this example I used the software version (VM) of UTM version 9.401-11.
Prerequisites
- AWS Account
- UTM device setup (software or hardware)
- Permissions to create VPN and edit route tables in AWS
- Permissions in UTM to setup Site-to-site VPN
Create Virtual Private Gateway (AWS)
- Browse to VPC Dashboard | Virtual Private Gateways | Create Virtual Private Gateway
- Enter descriptive name tag
- Example: dev-vpc
- Select Yes, Create
- Right-Click the new VPG and select Attach to VPC
- Select the VPC ID
- Select Yes, Attach
Create Customer Gateway (AWS)
- Browse to VPC Dashboard | Customer Gateways | Create Virtual Customer Gateway
- Enter descriptive name tag
- Example: office-utm
- Select Dynamic Routing
- Enter External WAN IP Address of the UTM device
- Enter random BGP ASN between 64512-65534
- Example: 65000
Create VPN Connection (AWS)
- Browse to VPC Dashboard | VPN Connections | Create VPN Connection
- Enter descriptive name tag
- Example: office-to-dev
- Select the Virtual Private Gateway and Customer Gateway
- Select Dynamic Routing Options
- Select Yes, Create
Enable Route Propagation on Private Route Table (AWS)
- Browse to VPC Dashboard
- Select Route Tables
- Select the Private Route Table
- Select Route Propagation | Edit
- Check box under Propagate next to the new VPG
Create/Edit VPN Access Security Group (AWS)
- Browse to VPC Dashboard or EC2 Dashboard
- Select Security Groups | Create Security Group
- Enter descriptive name tag, Group name and Description
- Example: office-vpn-access
- Select VPC ID
- Select Yes, Create
- Select Inbound Rules | Edit
- Select ALL Traffic Type
- Enter IP Range of office using CIDR notation
- Example: 192.168.100.0/24
- Select Save
Add Security Group to Instances (AWS)
Now add the new VPN access Security Group to each instance you want to allow access to over VPN.
- Browse to EC2 Dashboard
- Select instances individually
- Select Actions | Networking | Change Security Group
- Check the box next to the new security group
- Select Assign Security Groups
Allow Office Traffic on Private Network ACL (AWS)
If the private network ACL is locked down for inbound traffic you'll need to create a rule to allow traffic from the office network/s.
- Browse to VPC Dashboard | Network ACLs
- Select Private Network ACL
- Select Inbound Rules | Edit
- Add rule All Traffic for the Office IP CIDR Block
- Example: 192.168.100.0/24
I have wrote a AWS CloudFormation template that will setup a VPN as described above on an existing VPC. If you want a new VPC I have a template for that as well.
VPN Template
VPC Template
Download VPN Configuration File (AWS)
- Browse to VPC Dashboard | VPN Connections
- Right-Click the new VPN Connection
- Select Download Configuration
- Select Vendor | Sophos
- Select Platform | UTM
- Select V9
- Select Yes, Download
Capture BGP Addresses for AWS
- Open the configuration XML file you downloaded
- Look for two vpn_gateway sections with external IP addresses that are not your UTM device.
- 52.1.179.146 and 52.72.41.196
Create BGP Neighbors (UTM)
Create two BGP neighbors with the above IP addresses found in the XML configuration file.
- Browse to Interfaces and Routing | Border Gateway Protocol | Neighbor
- Select New BGP Neighbor...
- Enter name
- Example: aws-dev-vpn-bgp01
- Select + to create a host definition for the first IP address
- Enter name
- Example: aws-dev-vpn-bgp01
- Select Save
- Enter Remote ASN found in the XML Configuration File.
- Example: 7224
- Select Save
- Repeat for second BGP IP address.
Enable BGP (UTM)
- Browse to Interfaces and Routing | Border Gateway Protocol | Global
- Toggle the enable icon in upper right to on
- Enter 65000 for AS Number
- Enter your WAN IP Address as Router ID
- Under Interfaces and Routing | Interfaces | WAN?
- Or Google What's my ip
- Add WAN (Network) to Networks
- Add LAN (Network) to Networks
- Select Apply
Add Firewall Rules to Allow AWS VPC to Office (UTM)
- Browse to Network Protection | Firewall
- Select New Rule
- Add the two BGP Host definitions created above as Sources
- 'Example:' aws-dev-vpn-bgp01 and aws-dev-vpn-bgp02
- Create new Host Definition for the VPC IP Range
- Example: aws-dev-vpc - 10.10.0.0/16
- Select Any for Services
- Select LAN (Network) for Destinations
Add LAN Route Propagation (UTM)
- Browse to Site-to-Site VPN | Amazon VPC | Setup | Route Propagation
- Remove Any
- Add LAN (Network) for Destinations
Upload VPN Configuration File (UTM)
- Browse to Site-to-Site VPN | Amazon VPC | Setup
- Under Import Via Amazon VPC Configuration | VPC config file: Click the yellow folder
- Browse to download configuration and select
- Select Start Upload
- Select Apply
Check Status (UTM+AWS)
UTM
- Browse to Site-to-Site VPN
AWS
- Browse to VPC Dashboard | VPN Connections
- Select new VPN Connection
- Select Tunnel Details
Remote Connection Test

Sophos Utm Aws Pricing
The final test is remote connecting to an instance in the VPC that is in the new VPN security group.
- Ping, SSH, RDP, HTTP, HTTPS etc.
- From office to private IP address of instance.
Sophos Utm Aws Marketplace
Sources
