By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Need help setting up VPN between Sophos UTM firewall and AWS VPC

0

Hello all,

I'm trying to set up a VPN connection between our Sophos UTM firewall and an AWS VPC, but I'm running into some issues. Our on-premises network has two subnets (1.1.1.1/24 and 2.2.2.2/24) that need to be connected to the AWS VPC, but I'm not sure how to configure the VPN connection properly.

I've followed this document https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html to setup VPN Connection on AWS side.

Also, I've followed the steps in the Sophos UTM documentation to create the VPN connection, but when I try to establish the connection, it fails and I can only reach the AWS VPC from one of our subnets (either 1.1.1.1/24 or 2.2.2.2/24). I've checked the firewall rules and routing configuration on our Sophos UTM firewall, but I'm not sure what I'm missing.

The following VPN tunnel configurations have been tested on UTM Sophos side:

  1. Tunnel1: Source: 1.1.1.1/24 – GW 3.3.3.3 (on AWS side) – Destination Subnet 5.5.5.5/16 – WORKING

  2. Tunnel1: Source: 2.2.2.2/24 – GW 3.3.3.3 (on AWS side)– Destination Subnet 5.5.5.5/16 – WORKING

  3. Tunnel1: Source: 1.1.1.1/24 and 2.2.2.2/24 – GW 3.3.3.3 (on AWS side) – Destination Subnet 5.5.5.5/16 - Connection failed, only reachable from one source subnet, sometimes 1.1.1.1/24, sometimes 2.2.2.2/24 - NOT WORKING

  4. Tunnel1: Source: 1.1.1.1/24 – GW 3.3.3.3 (on AWS side) – Destination Subnet 5.5.5.5/16 Tunnel2: Source: 2.2.2.2/24 – GW 4.4.4.4 (on AWS side) – Destination Subnet 5.5.5.5/16 After enabling second tunnel, connection lost - NOT WORKING

Can anyone provide some guidance on how to set up the VPN connection between Sophos UTM and AWS VPC with multiple subnets? Do I need to create multiple VPN connections, one for each subnet? What configuration changes do I need to make on the Sophos and AWS side?

Any help would be greatly appreciated. Thanks in advance!

Topics
Networking & Content DeliveryDevOpsAWS Well-Architected Framework
Tags
Amazon VPCNetworking & Content DeliveryDevOpsAWS Transit GatewaySecurity
Language
English
nmos
asked a year ago503 views
1 Answer
1
Accepted Answer

when I try to establish the connection, it fails and I can only reach the AWS VPC from one of our subnets (either 1.1.1.1/24 or 2.2.2.2/24).

This is likely because you are using Policy based VPN. See below note from the VPN FAQ

Q: How many IPsec security associations can be established concurrently per tunnel?

A: The AWS VPN service is a route-based solution, so when using a route-based configuration you will not run into SA limitations. If, however, you are using a policy-based solution you will need to limit to a single SA, as the service is a route-based solution.

See this Knowledge Center article on this topic (see the resolution section): https://repost.aws/knowledge-center/vpn-connection-instability

profile pictureAWS
EXPERT
Tushar_J
answered a year ago
  • nmos
    a year ago

    Thanks for reply. We tested this scenario today, but it was not successful.

    As you suggested, on UTM Sophos firewall the following tunnel has been created.

    Tunnel1: Source: 0.0.0.0/0 – GW 3.3.3.3 (on AWS side) – Destination Subnet 5.5.5.5/16 - Connection failed - NOT WORKING The tunnel is not up.

    Second scenario that we tested was adding one more Customer Gateway and creating second VPN connection. Multiple Site-to-Site VPN connections -> https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html This testing was not successful as well, because we used just the different interface of the Sophos firewall as the second Customer Gateway.

    Do you have any suggestion how to solve this issue and establish the VPN connection between AWS and on-premise?

    Thanks in advance.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content