Fortigate Cloud Services to Azure, AWS, GCP: Secure Site VPN Gateway

Configure the local FortiGate:

To configure the interfaces:

Configuring Meraki To Azure Site-To-Site-VPN Tunnels

Create Azure Virtual network
1. Sign-in to Azure portal.
2. In Search resources, service, and docs (G+/), type virtual network.
3. Select Virtual Network from the Services results.
4. On the Virtual Network page, select Create.
5. Once you select Create, the Create virtual network page opens.
6. On the Basics tab, configure Project details and Instance details VNet settings.
When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. Some values are auto filled, which you can replace with your own values:

>> Subscription: Select Pay-As-You-Go.
>> Resource group: Select the existing (Create new) Resource group AZ-DR01.
>> Name: Type AZ-DR01-VNet1.
>> Region:

7. Click Next: IP Address.
8. On the IP Addresses tab, configure the values.
IPv4 address space: Type 10.15.0.0/16.
9. Click +Add subnet.
>> Subnet name: type FrontEnd.
>> Subnet address range: 10.15.1.0/24.
>> Services: Keep the default settings (0 selected)
10. Click Add.
11. Click Next: Security.
12. On the Security tab, at this time, leave the default values:
>> BastionHost: Disable.
>> DDoS Protection Standard: Disable.
>> Firewall: Disable.

13. Click Next: Tags.
14. On the Tags tab, leave the default values.
15. Click Next: Review + create.
16. After the settings have been validated, select Create.
17. Make sure the new VNet deployment is complete without issues, click Go to resource.

Create Azure VPN Gateway:
1. In Search resources, service, and docs (G+/), type virtual network gateway.
2. Select Virtual network gateway from the Services results.
3. On the Basics tab, configure Project details and Instance details and Public IP address for Virtual network gateway settings.
>> Subscription: Select Pay-As-You-Go.
>> Name: Type AZ-DR01-VNet1-GW1.
>> Region: Select Canada Central.
>> Gateway type: Select VPN.
>> VPN type: Select Route-Based.
>> SKU: Select VpnGW1 (Bandwidth:650Mbps)
>> Virtual network: Select AZ-DR01-VNet1.
>> Gateway subnet address range: Type 10.15.255.0/27
>> Public IP address: Leave Create new selected.
>> Public IP address name: AZ-DR01-VNet1-GW1-Public-IP
>> Assignment: VPN gateway supports only Dynamic.
>> Enable Active-Active mode: Select Disabled.
>> Configure BGP ASN: Select Disabled.
4. Click Next: Tags.
5. On the Tags tab, leave the default values.
6. Click Next: Review + create.
7. After the settings have been validated, select Create.
8. Make sure the new Virtual network gateway deployment is complete without issues, click Go to resource.


Create Azure Local Network Gateway:
1. In Search resources, service, and docs (G+/), type virtual network gateway.
2. Select Local network gateway from the Services results.
3. Click Create local network gateway.
4. On the Create local network gateway page, specify the values for your local network gateway.
>> Name: Type OFFICECalgary.
>> IP address: Type OFFICE-Calgary WAN IP address (208.230.42.114).
>> Address Space: add 192.168.0.0/22 and 172.16.200.0/24 and 172.16.250.0/24.
>> Configure BGP settings: Use only when configuring BGP. Otherwise, don't select this.
>> Subscription: Select Pay-As-You-Go.
>> Resource Group: Select AZ-DR01.
>> Location: Select Canada Central.
5. Click Create.

Create VPN connection:
1. On the Azure Services page, click the new create Virtual network gateway.
2. On the Virtual network gateway page, select Connections.
3. On the Connections page, click +Add.
4. On the Add connection page, configure the values for your connection.
>> Name: Type AZ-DR01-VNet1toOFFICECalgary
>> Connection type: Select Site-to-site(IPSec).
>> Virtual network gateway: The value is fixed because you are connecting from this gateway.
>> Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use.
>> Click the OFFICECalgary local network gateway.
>> Shared Key: Type Azure
>> IKE Protocol: Select IKEv2
>> Resource Group: Select AZ-DR01

5. Click OK.


Settings at Meraki site:


1. Sign-in to Cisco Meraki portal.
2. Select Security & SD-WAN, click Site-to-site VPN.
3. On the Site-to-site VPN field, select Hub.
4. On the VPN settings field, select the local networks that you want to connect to Azure and then select VPN on.
5. On the Organization-wide settings page, click add a peer in the Non-Meraki VPN peers.
6. On the Non-Meraki VPN peers, configure details settings.
>> Name: Type ToAzure
>> IKE Version: Select IKEv2
>> IPsec Policies: Click Default and then change Default to Azure
>> Click Update.
>> Public IP: Type Azure Virtual Network Gateway Public IP address (53.139.26.221)
>> Private subnets: Type 10.15.0.0/16
>> Preshared secret: Type Azure.
>> Availability: select All Networks.


7. Click Save Changes.


Verify the VPN connection:

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection.

1. In the Azure portal menu, select All resources or search for and select All resources from any page.
2. Select to the virtual network gateway.
3. On the blade for the virtual network gateway, click Connections. You can see the status of each connection.
In the Meraki portal, you can view the VPN status of a Meraki by navigating to the Non-Meraki peer.

1. Sign-in Meraki portal.
2. Select Security & SD-WAN, click VPN Status.
3. Click Non-Meraki peer.
4. Make sure the Status light show green.




CONFIGURING MERAKI TO AWS SITE-TO-SITE-VPN TUNNELS

Create a VPC:

1. After logging into AWS go to the 'Services' area (top bar) and select the 'VPC' service. This will bring you to a status page about the Networking configured for your AWS environment. Select 'Your VPCs' on the left-hand side.
2. Select the 'Create VPC' button. This will allow you to create a Virtual Private Cloud where accessible resources on AWS will live. Enter a name and a CIDR block.
3. You'll be taken back to the 'Your VPCs' page where there will be a new element based on what you just created.

Allocate a subnet:
1. On the left-hand side of the VPC Service screen there is a menu bar. Under the 'Virtual Private Cloud' header there is an option for 'Subnets'. Select the 'Subnets' option.
2. On the configuration screen select the 'Create subnet' button.
3. On the following 'Create subnet' screen, provide a descriptive name, select the VPC we just made, and provide a subset of the total space allocated for the VPC.
4. You'll be brought back to the Subnets configuration screen when this is complete.

Configure the VPN connection on AWS's side:
1. On the left-hand bar within the VPC service screen there is a heading entitled VPN Connection. Within this area select the 'Customer Gateways' option.
2. Assign the Customer Gateway a name, keep the Routing as Dynamic and in IP address slot place the IP address of your Meraki device. Select 'Create Customer Gateway' when ready.
3. To find your Meraki devices IP address open the Meraki dashboard and select 'Security appliance' ->'Appliance Status'. In this photo the number hidden with the blue box is the public IP of the Meraki device.
4. On the left-hand bar within the Customer Gateways service screen there is a heading entitled VPN Connections. Within this area select the 'Virtual Private Gateway' option.
5. Select the button entitled 'Create Virtual Private Gateway'.
6. In the configuration screen choose a name and leave the ASN as 'Amazon default ASN' (unless you have specific a BGP configuration). Select the 'Create Virtual Private Gateway' button. When complete you should be moved back to the Virtual Private Gateway Configuration Screen with a new element list.
7. Select the checkbox next to the new element and find the 'Action' button at the top. Click it and select 'Attach to VPC'.
8. You'll be brought to a new screen. Select the VPC you created. Then select the 'Yes, Attach' button. You'll be taken back to the Virtual Private Gateway configuration screen.
9 On the left-hand bar within the Virtual Private Gateway service screen there is a heading entitled VPN Connection. Within this area select the 'VPN Connections' option.
10 Select the button entitled 'Create VPN Connection'.
11 In the Create VPN Connection window select a Name, the VPN Gateway we just created from the list, the existing customer gateway ID of the Virtual Private Gateway we just configured, and specify 'static' as the routing option. For Static IP Prefixes put the internal subnet used by your Meraki Device. Leave the rest blank and when finished select the 'Create VPN Connection' button. You can find this subnet on the Meraki Dashboard under 'Security Appliance' -> 'Addresses & VLANs' in the 'Routing' section.
12 Once this is created it will be in a 'pending' state for a bit while Amazon allocates it. After a few minutes it should switch to an 'available' state. Once it reaches that state, select the checkbox next to the newly created resource and select the 'Download Configuration' button. Save this file for the next step.
13 On the left-hand bar within the VPN Connections service screen there is a heading entitled 'Virtual Private Cloud'. Within this area select the 'Route' Tables option. Select the checkbox next to the route table associated with the VPC you've created.
14 On the lower pane a configuration menu will appear. Select the 'Route Propagation' tab and select the 'Edit' button. Then check the 'Propagate' checkbox next to the Virtual Private Gateway listed.


Configure the VPN connection on Meraki's side:
1 In your Meraki Dashboard navigate to site-to-site VPN options under Security appliance->Site-to-site VPN.
2 Under type, select Hub (Mesh).
3 Under the VPN settings sub header find the networks that you'd like to enable the site-to-site routing for and select 'yes' under the 'Use VPN' column.
4 Leave NAT traversal as automatic.
5 Leave OSPF advertisements disabled.
6 Under the Organization-wide settings sub header find 'Non-Meraki VPN peers'. Select the 'Add a peer' link.
7 Fill out the new peer link information based on the downloaded file.
First give the connection a descriptive name.
Then, using the information from the downloaded file, find the 'Outside IP Address' of the 'Virtual Private Gateway'. Place this value in the Public IP field.
For private subnets put the subnet address you allocated back in step 2.
Under IPsec policies, click 'default'. This will open a new configuration menu. At the top select from the 'Choose a Preset' dropdown -'AWS'. Hit Update when this is complete.
Find the Pre-Shared Key row within the downloaded file and copy the pre-Shared key into the Meraki configuration area.

8 Save your Changes.
E. Note: while making a request to a host on the other side of the Site-to-Site VPN, it will take a few attempts for the request to complete while the tunnel is initialized. The more traffic sent across the tunnel the less likely this lag is to occur as the tunnel will stay up. This often leads to people writing quick ping scripts that send a ping every couple second to keep the tunnel up.


Configuring Meraki To GCP Site-To-Site VPN

Meraki Dashboard Configuration:
1 Add license(s) to the Meraki dashboard:
To complete the vMX Meraki dashboard configuration, a vMX license must be available for use in your organization.

If your organization has already reached its vMX license limit, you will be unable to create new vMX networks until a vMX network is deleted or additional vMX licensing added.

If you do not have access to a vMX license or require additional vMX licenses, please reach out to your Meraki reseller or sales representative.

2 Create a 'Security Appliance' Network Type.

3 Assign vMX type to network
Once you have created the 'Security appliance' network and added the appropriate license you will be able to deploy a new vMX to your network by clicking on the 'Add vMX' button.
4 Generate the authentication token
After you add the new vMX to your network, navigate to Security Appliance > Appliance status and select 'Generate authentication token' to generate the token for the GCP vMX Authentication Token field.
5 Copy the newly generated token and save it.
The newly generated token will be used in the "New Cisco Meraki vMX deployment" configuration section when creating a new instance.


Google Cloud Setup:
1 You must have the following before you begin:
2 Google Cloud VPC network.


Deploying the vMX:

1 Access the Cisco Meraki vMX offer by clicking here or search for "Meraki" in the GCP marketplace to find the vMX solution.
2 Click Launch on the vMX offer landing page.
3 Enter a Deployment Name for the instance.
4 Choose the desired Zone.
5 Select the c2-standard-4 vMX instance size. This is the only instance size currently offered for vMX on GCP.
6 Paste the vMX Authentication token you copied from the Meraki dashboard in the steps earlier to the vMX Authentication Token field.
7 The Boot Disk options can remain as-is.
8 Under the Network section select the desired Network, Subnetwork and External IP for this instance. The External IP field can be left as Ephemeral (if you would like to let GCP assign a public IP to the vMX itself) or set to None (if you would like to have a private IP on the vMX and have it egress through an upstream device like a firewall or Google Cloud NAT instance). You do not need to add more network interfaces to the VM as it is a single interface appliance.
9 Click Deploy.

Additional VPC Configuration:
The virtual MX appliance will allow for site-to-site VPN connectivity using Auto VPN between GCP and other remote MXs. In order to have proper bidirectional communication between remote subnets that are terminating into GCP via the vMX and hosts within GCP, the VPC routing table must be updated for the remote Auto VPN-connected subnets.

1 Navigate to VPC Networks > Routes from the GCP console and select Create Route.
2 Specify a Name and Description for the route.
3 Select the Network that your vMX is deployed in.
4 In the Destination IP range, add the routes available via Auto VPN.
5 Select the Specify an instance option for the next hop and select the vMX instance as the Next hop instance.


Firmware Version:
In order for the vMX to function on GCP it must be running 16.8+ firmware.

Token Validity:
1 Navigate to Compute Engine > VM Instances, click on the vMX in question and click on Stop to turn it off.
2 Click Edit.
3 Scroll down to the Custom Metadata section and update the value in the token field.
4 Click Save and then click Start to power the vMX back up.


Confirming Cloud Reachability:
By default, HTTP traffic inbound to the vMX is disabled for security purposes. You can enable inbound HTTP traffic to the vMX (for accessing the local status page) by performing the following:

1 Navigate to Compute Engine > VM Instances, click on the vMX in question and click Edit (you do not need to turn off the instance for this change).
2 Scroll down to the Firewalls section and select the box next to Allow HTTP traffic.
3 Click Save.
4 On the VM instance details page copy the External IP that was assigned to the instance.
5 On the local status page you can find the health status of the vMX and whether it is successfully able to connect to the Meraki cloud or not.


No "Add vMX" Button:
When navigating to Security & SD-WAN > Appliance Status, if there is no "Add vMX" button, please ensure the following two conditions are met:

1 You have available vMX licenses in your license pool.
2 You have created a 'Security appliance' network type.


Key Concepts:
1 Concentrator Mode:
All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes.

2 One-Armed Concentrator:
In this mode, the MX is configured with a single Ethernet connection to the upstream network. All traffic will be sent and received on this interface. This is the only supported configuration for MX appliances serving as VPN termination points into Google Cloud.
3 NAT Mode Concentrator:
In this mode the MX is configured with a single Ethernet connection to the upstream network and one Ethernet connection to the downstream network. VPN traffic is received and sent on the WAN interfaces connecting the MX to the upstream network and the decrypted, unencapsulated traffic is sent and received on the LAN interface that connects the MX to the downstream network.

VPN Topology:
1 Split Tunnel:
In this configuration, branches will only send traffic across the VPN if it is destined for a specific subnet that is being advertised by another MX in the same Dashboard organization. The remaining traffic will be checked against other available routes, such as static LAN routes and third-party VPN routes, and if not matched will be NATed and sent out the branch MX unencrypted.
2 Full Tunnel:
In full tunnel mode all traffic that the branch or remote office does not have another route to is sent to a VPN hub.

Sophos XG Firewall v18 to Azure VPN Gateway IPSEC Connection

1. Create Azure Local Network Gateway:

a. Go to the Azure Portal: https://portal.azure.com and sign in with your credentials.
b. Click on "Create a resource".
c. In the search box, type "Local Network Gateway".
d. Select "Local Network Gateway" and click on "Create".
e. In the "Create local network gateway" blade, configure the following and then click on "Create":

> Name You can give this any preferred name.

> Endpoint: IP address

> IP address: Specify the public IP address of your Sophos XG firewall.

> Address space: Specify the address ranges for the network that your On-Prem local network represents.

> Subscription: Verify that the correct subscription is selected for the deployment.

> Resource Group: Select the resource group that you want to use. You can either create a new resource group or select an existing one.


2. Create a Gateway Subnet:

a. In the Azure Portal: https://portal.azure.com, click on 'More Services'.
b. In the search box, type 'Virtual Networks' and select the 'Virtual Networks' option.
c. Click on the virtual network for which you want to create a virtual network gateway.
d. In the 'Virtual networks' blade, under 'Settings' click on 'Subnets'.
e. In the 'Subnets' blade, click on '+ Gateway subnet" to add a new Gateway subnet.
f. In the 'Add Subnet' blade, configure the CIDR range of the new Gateway subnet and click 'Save'.

Create the VPN Gateway:

1. In the Azure Portal: https://portal.azure.com, click on 'Create a resource'.
2.In the search box, type 'Virtual network gateway'.
3. Select 'Virtual network gateway' and click on 'Create'.
4. In the 'Create virtual network gateway' blade, configure the following:

i. Subscription: Verify that the correct subscription is selected for the deployment.
ii. Instance details:
> Name: This will be the name of the gateway object you are creating.
> Region: Select the same location as your virtual network (Otherwise the virtual network will not be displayed on the list).
> Gateway type: VPN
> VPN type: Route-based (this is a MUST to be able to use IKEv2).
> SKU: Select the gateway SKU from the dropdown. For more information about gateway SKUs, see Gateway SKUs.
> Generation: Generation 1
> Virtual network: Choose the virtual network to which you want to add this gateway.
iii. Public IP address:
> Public IP address: Create New
> Public IP address Name: Enter a Name for the public IP address resource.
> Leave other settings as default.
> Click on 'Review + Create'
> Click on 'Create'
> Creating a gateway can take up to 45 minutes!

e. After the VPN gateway creation has completed successfully, obtain it's public IP address (this will be needed in step 5).

i. In the Azure Portal, click on 'More services' and search for 'Virtual network gateways'. Then click on 'Virtual network gateways'.
ii. Click on the VPN Gateway that you just created.
iii. In the 'VPN Gateway' blade, in the 'Overview' section, make a note of the public IP address of the gateway.
iv. This will be used in step 5.


4 Create the VPN connection (Azure):

a. In the Azure Portal: https://portal.azure.com, click on 'More services' and search for 'Virtual network gateways'. Then click on 'Virtual network gateways'.
b. Select the VPN gateway that you created earlier.
c. In the 'VPN Gateway' blade, in the 'Setting'" section, click on 'Connections', then click on '+ Add'.
d. In the 'Add connection' blade, configure the following:

i. Name: Sophos_Xg_OnPrem_To_Azure (Input your preferred name)
ii. Connection type: Site-to-site (IPSec)
iii. Virtual network gateway: The value is fixed because you are connecting from this gateway
iv. Local network gateway:
> Click 'Choose a local network gateway'
> In the 'Choose a local network gateway' blade, select the local network gateway that you created earlier.
v. Shared key (PSK): Input a complex shared key. The value here must match the value that we will use on our on-premises Sophos XG firewall.
vi. IKE Protocol: IKEv2
vii. The remaining values for Subscription, Resource Group, and Location are fixed.
viii. Click OK to create your connection. You'll see Creating Connection flash on the screen.


5 Download and extract needed information from the configuration file (Azure):

a. In the Azure Portal: https://portal.azure.com, click on 'More services' and search for 'Virtual network gateways'. Then click on 'Virtual network gateways'.
b. Select the VPN gateway that you created earlier.
c. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections", then select the connection that you created earlier.
d. Click on the "Download configuration" button. This configuration file contains the needed information to configure the VPN connection on the XG Firewall.

e. In the 'Download configuration' blade, select the following:
i. Device vendor: Generic Samples
ii. Device family: Device Parameters
iii. Firmware version: 1.0
iv. Click on 'Download configuration'.

f. Open the downloaded file and make a note of the following:
i. Scroll down to the "Tunnel interface (VTI) configuration" section.
ii. Make a note of the interface tunnel IP address and subnet mask
iii. Also, make a note of the MSS value.
iv. Both values will be needed for the configuration of the "xfrm tunnel interface" on the Sophos XG.


6 Create the VPN connection (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Configure", click on "VPN" -> "IPSEC Connections" -> "Add".
c. Configure the following settings:

i. General Settings:

> Name: Input any preferred name.
> Connection type: Tunnel interface
> IP version: Dual
> Gateway type: Initiate
> Activate on save: Selected
> Description: Add a description for the connection.

ii. Encryption:
> Policy: Microsoft Azure
> Authentication Type: Pre-shared key
> Pre-shared key: Enter the same pre-shared key that you entered when creating the VPN connection on Azure.
> Repeat pre-shared key: Confirm the above pre-shared key.

iii. Gateway settings:

> Listening interface: Select the WAN interface of the Sophos XG Firewall.
> Gateway address: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
> Local ID: IP Address
> Remote ID: IP Address
> Local ID: Enter the public IP of the OnPrem Sophos XG firewall.
> Remote ID: Input the public IP of the Azure VPN gateway that you noted in Step 3 (5).
> There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".
iv. Advanced:
> Leave default settings.

v.Click "Save".

vi. Click "OK" when prompted about the "Pre-shared key".

vii.The connection should now be active. Click on the "red" button under Connection to enable the connection.


7 Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
b. Under "Protect", click on "Rules and policies" -> "Add firewall rule" -> "New firewall rule".
c. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
i. Rule status: None
ii. Rule name: azure_to_onprem
iii. Action: Accept
iv. Rule position: Top
v. Rule group: None
vi. Log firewall traffic: Selected
vii. Source
> Source zones: LAN and VPN
> Source networks and devices: Any
> During scheduled time: Leave default setting

viii. Destination & services
> Destination zones: LAN and VPN
> Destination networks: Any
> Services: Any

ix. Leave other settings as default.
> You can configure the security checks of the XG for the traffic if you want to.

x. Click on "Save".


8 Configure the xfrm tunnel interface (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
b. Under "Configure", click on "Network" -> under "Interfaces", click on the xfrm interface.
c. In the "Network" configuration window, configure the following:
i. IPv4/netmask: Enter the IP address and select the subnet mask that you made a note of in Step 5 (6).
ii. Expand "Advanced settings".
> Select "Override MSS" and enter the MSS value that you made a note of in Step 5 (6).
iii. Click on "Save".
iv. In the "Update interface" prompt, click "Update interface".


9 Configure static routing to the Azure network (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG Firewall.
b. Under "Configure", click on "Routing" -> under "Static Routing", click on "Add".
c. In the "Add unicast route" window, configure the following:
i. Destination IP/Netmask: Enter the network IP and subnet mask of your Azure virtual network.
ii. Gateway: You can either leave this empty
iii. OR enter the second IP address in the network that you made a note of in Step 5 (6).
iv. Interface: Select the XG's xfrm tunnel interface.
v. Distance: Leave default setting.
vi. Click on "Save"


10 Verify the VPN connection:

a. Do a connectivity test from an on-premise instance to an Azure VM.
b. Do a connectivity test from an Azure VM to an on-premise instance.
c. In the Azure Portal: https://portal.azure.com, go to "Virtual network gateways" and select the virtual network that you connected to.
d. In the "VPN Gateway" blade, in the "Settings" section, click on "Connections".
e. In the "VPN Gateway - Connections" blade, ensure that the status of the connection is "Connected"
f. Click on the connection and ensure that you're seeing data flow.
i. If you see 0B doesn't mean that the connection is not working, it just means that there's no data flow detected on the Azure side.

Create AWS Customer Gateway:

a. Go to the AWS Portal: https://aws.amazon.com/console/ and sign in with your credentials.
b. Under 'Services', click on 'VPC'.
c. Filter your VPC, for the ease of navigation.
d. On the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
> Click on 'Customer Gateways'.
e. In the "Create customer gateway" blade, configure the following:
i. Name: Specify any descriptive name.
ii. Routing: Specify the mode of routing to be used. In our scenario, Select Static.
iii. IP Address: Specify the public IP address of your Sophos XG firewall.
iv. Certificate ARN(optional): In our scenario, no Certificate is selected.
v. Device(optional): In our scenario, no Device is selected.

f. Click on Create Customer Gateway.

2 Create a Virtual Private Gateway (Attaching the VGW with your VPC):

a. Select the virtual network for which you want to create a virtual network gateway.
b. In the left navigation pane, scroll down to VIRTUAL PRIVATE NETWORK (VPN).
c. Click on 'Virtual Private Gateways'.
d. In the "Create Virtual Private Gateway" blade, configure the following:
i. Name tag: Specify a descriptive Name
ii. ASN: Select the applicable option. In our scenario, select Amazon default ASN

e. Click on Create Virtual Private Gateway.
f. Attach Virtual Private Gateway (VGW) to the VPC.
i. Select the newly created VGW.
ii. Click on Actions and select Attach to VPC.


3 Create the Site-to-Site VPN connection (AWS):

a. In the left navigation pane, scroll down to Site-to-Site VPN Connections.
b. Click on 'Create VPN Connection'.
c. In the "Create VPN Connection" blade, configure the following:
i. Name Tag
ii. Target Gateway Type
iii. Virtual Private Gateway
iv. Customer Gateway
v. Customer Gateway ID
vi. Routing Options
vii. Static IP Prefixes
viii. Local IPv4 Network = XG LAN resources
ix.Remote IPv4 Network = AWS side resources

d.Click on 'Create VPN Connection' to create the AWS VPN.



4 Download and extract needed information from the configuration file (AWS):

a. Select the newly created VPN connection and click on Download Configuration.
b. In the "Download configuration" blade, select the following:
i. Vendor: Generic
ii. Platform: Generic
iii. Software: Vendor Agnostic
iv. Click on "Download"



5
Create a route in the route table associated with your VPC:

a. In the left navigation pane:
i. Filter by VPC: Select your VPC.

b. Navigate to VIRTUAL PRIVATE CLOUD > Route Tables.
c. Select the associated Route Table.
d. In the bottom navigation:
i. Select the Routes tab.
ii. Click on Edit routes.

e. Click on Add route and configure the following:
i. Destination: Private IP address range behind XG firewall. Typically, the remote private IP address is the LAN interface network on the on-prem Sophos XG firewall.
ii. Target: Select the Virtual gateway created in Step 2.
iii. Click on Save routes.


6 Create the VPN Policy (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Create a new policy in Sophos XG matching the parameters specified in the document downloaded in the previous step.
c. Navigate to CONFIGURE>VPN.
d. Click on the "..." to expand the menu, and select IPsec policies.
e. In the IPSec policies blade, configure the following:
i. Name: Specify a descriptive name
ii. Key exchange: Select IKEv1
iii. Authentication mode: Select Main mode

f. Scroll down to configure the parameters for Phase 1. These should match the downloaded configuration obtained in Step 4(2).
g. In our scenario, configure the following Phase 1 parameters on Sophos XG:
i. Key life: 28800
ii. DH group (key group): 2[DH1024]
iii. Encryption: AES128
iv. Authentication: SHA1

h. Scroll down to configure the parameters for Phase 2. These should match the downloaded configuration obtained in Step 4(2).
i. In our scenario, configure the following Phase 2 parameters on Sophos XG:
i. Key life: 3600
ii. DH group (key group): Same as phase-I
iii. Encryption: AES128
iv. Authentication: SHA1

j. Scroll down to configure the parameters for Dead Peer Detection.
i. Enable Dead peer Detection checkmark.
ii. Click Save.


7 Create the VPN Connection (Sophos XG Firewall):

a. Under "Configure", click on "VPN" -> "IPSEC Connections" -> "Add".
b. Configure the following settings:
c. General Settings
i. Name: Input any preferred name
ii. Connection Type: Tunnel interface
iii. IP Version: Dual
iv. Gateway Type: Initiate the Connection
v. Activate on Save: Selected
vi. Description: Add a description for the connection

d. Encryption
i. Policy: Select the policy created in Step 6
ii. Authentication Type: Preshared Key
iii. Preshared Key: Enter the preshared key as available from the downloaded configuration obtained in Step 4(2).
iv. Repeat Preshared Key: Confirm the above-preshared key

e. Gateway Settings
i. Listening Interface: Select the WAN interface of the Sophos XG firewall
ii. Gateway Address: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
iii. Local ID: IP Address
iv. Remote ID: IP Address
v. Local ID: Enter the public IP of the OnPrem Sophos XG firewall
vi. Remote ID: Input the public IP of the AWS VPN gateway. The AWS public IP /Virtual Private Gateway is available from the downloaded configuration obtained in Step 4(2).
vii. There is no option to configure the "Local Subnet" and "Remote Subnet". They will both be set to "0.0.0.0/0".

f. Advanced
i. Leave default settings

g. Click "Save".
h. Click "OK" when prompted about the "Preshared key".
i. The connection should now be active and in a connected state.


8 Create firewall rules to allow inbound and outbound traffic through the VPN (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Protect", click on "Rules and Policies" -> "Add Firewall Rule" -> "New Firewall Rule".
c. In the "Add Firewall Rule" window, configure the incoming firewall rule as follows:
i. Rule status: ON
ii. Rule Name:XGS_to_AWS
iii. Action: Accept
iv. Rule Position: Top
v. Rule group: Automatic or select your VPN group
vi. Log firewall traffic: Selected

d. Source and destination
i. Source Zones: LAN
ii. Source Networks and Devices: IP or Network of the device(s) that will be reaching AWS
iii. Destination Zones: VPN
iv. Destination Networks: IP or Network of the device(s) in AWS
v. During Scheduled Time: Leave the default setting

e. Leave other settings as default.
i. You can configure the security checks of the XG for the traffic if you want to.

f. Click on "Save".
g. Create a Second Firewall Rule in case Traffic is initiated by the AWS side

i. Rule status: ON
ii. Rule Name: AWS_TO_XGS
iii. Action: Accept
iv. Rule Position: Top
v. Rule group: Automatic or select your VPN group
vi. Log firewall traffic: Selected

h. Source
i. Source Zones: VPN
ii. Source Networks and Devices: IP or Network of the device(s) that will be reaching XGS
iii. Destination Zones: LAN
iv. Destination Networks: IP or Network of the device(s) behind the XGS
v. During Scheduled Time: Leave the default setting

i. Leave other settings as default.
i. You can configure the security checks of the XG for the traffic if you want to.

j. Click on "Save".

9 Configure the xfrm tunnel interface (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Configure", Click on "Network" -> Under "Interfaces", click on the xfrm interface.
c. In the "Network" configuration window, configure the following:
i. IPv4/netmask: Enter the IP address. The IP address can be found under Inside IP Addresses >Customer Gateway, as obtained from the configuration file downloaded in Step 4(2).

d. Expand "Advanced Settings"
i Select "Override MSS" and enter the MSS value as obtained from the configuration file downloaded in Step 4(2).

e. Click on "Save".
f. In the "Update interface" prompt, click "Update interface".



10 Configure static routing to the AWS network (Sophos XG Firewall):

a. Log into the WebAdmin of your On-Premises Sophos XG firewall.
b. Under "Configure", click on "Routing" -> Under "Static Routing", click on "Add".
c. In the "Add unicast route" window, configure the following:
i. Destination IP/Netmask: Enter the network IP and subnet mask of your AWS virtual network
ii. Gateway: To be left empty
iii. Interface: Select the XG's xfrm tunnel interface
iv. Distance: Leave default setting
v. Click on "Save"


11
Verify the VPN connection:
a. In the AWS Portal: https://console.aws.amazon.com/, go to "Virtual Private Network(VPN") and select Site-to-Site VPN Connections.
b. In the "VPN Connection" blade, ensure that the status of the Tunnel is "UP".
c. Check the EC2 Security Groups are allowing RDP
d. Download the Remote Desktop file for your EC2 instance from AWS
e. Perform a connectivity test from an on-premise instance to an AWS VM