Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Need help setting up VPN between Sophos UTM firewall and AWS VPC

0

Hello all,

I'm trying to set up a VPN connection between our Sophos UTM firewall and an AWS VPC, but I'm running into some issues. Our on-premises network has two subnets (1.1.1.1/24 and 2.2.2.2/24) that need to be connected to the AWS VPC, but I'm not sure how to configure the VPN connection properly.

I've followed this document https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html to setup VPN Connection on AWS side.

Also, I've followed the steps in the Sophos UTM documentation to create the VPN connection, but when I try to establish the connection, it fails and I can only reach the AWS VPC from one of our subnets (either 1.1.1.1/24 or 2.2.2.2/24). I've checked the firewall rules and routing configuration on our Sophos UTM firewall, but I'm not sure what I'm missing.

The following VPN tunnel configurations have been tested on UTM Sophos side:

  1. Tunnel1: Source: 1.1.1.1/24 – GW 3.3.3.3 (on AWS side) – Destination Subnet 5.5.5.5/16 – WORKING

  2. Tunnel1: Source: 2.2.2.2/24 – GW 3.3.3.3 (on AWS side)– Destination Subnet 5.5.5.5/16 – WORKING

  3. Tunnel1: Source: 1.1.1.1/24 and 2.2.2.2/24 – GW 3.3.3.3 (on AWS side) – Destination Subnet 5.5.5.5/16 - Connection failed, only reachable from one source subnet, sometimes 1.1.1.1/24, sometimes 2.2.2.2/24 - NOT WORKING

  4. Tunnel1: Source: 1.1.1.1/24 – GW 3.3.3.3 (on AWS side) – Destination Subnet 5.5.5.5/16 Tunnel2: Source: 2.2.2.2/24 – GW 4.4.4.4 (on AWS side) – Destination Subnet 5.5.5.5/16 After enabling second tunnel, connection lost - NOT WORKING

Can anyone provide some guidance on how to set up the VPN connection between Sophos UTM and AWS VPC with multiple subnets? Do I need to create multiple VPN connections, one for each subnet? What configuration changes do I need to make on the Sophos and AWS side?

Any help would be greatly appreciated. Thanks in advance!

Themen
Vernetzung & Bereitstellung von InhaltenDevOpsAWS Framework mit guter Struktur
Tags
Amazon VPCVernetzung & Bereitstellung von InhaltenDevOpsAWS Transit GatewaySicherheit
Sprache
English
nmos
gefragt vor einem Jahr533 Aufrufe
1 Antwort
1
Akzeptierte Antwort

when I try to establish the connection, it fails and I can only reach the AWS VPC from one of our subnets (either 1.1.1.1/24 or 2.2.2.2/24).

This is likely because you are using Policy based VPN. See below note from the VPN FAQ

Q: How many IPsec security associations can be established concurrently per tunnel?

A: The AWS VPN service is a route-based solution, so when using a route-based configuration you will not run into SA limitations. If, however, you are using a policy-based solution you will need to limit to a single SA, as the service is a route-based solution.

See this Knowledge Center article on this topic (see the resolution section): https://repost.aws/knowledge-center/vpn-connection-instability

profile pictureAWS
EXPERTE
Tushar_J
beantwortet vor einem Jahr
  • nmos
    vor einem Jahr

    Thanks for reply. We tested this scenario today, but it was not successful.

    As you suggested, on UTM Sophos firewall the following tunnel has been created.

    Tunnel1: Source: 0.0.0.0/0 – GW 3.3.3.3 (on AWS side) – Destination Subnet 5.5.5.5/16 - Connection failed - NOT WORKING The tunnel is not up.

    Second scenario that we tested was adding one more Customer Gateway and creating second VPN connection. Multiple Site-to-Site VPN connections -> https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html This testing was not successful as well, because we used just the different interface of the Sophos firewall as the second Customer Gateway.

    Do you have any suggestion how to solve this issue and establish the VPN connection between AWS and on-premise?

    Thanks in advance.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt