HI I am trying to ping from Sophos LAN router block of 192.168.11.0/24 to 172.16.1.0/24 to 172.16.1.253 machine of the servers in AWS Ec2 instance. IPSEC is showing up, but Tunnel on AWS side is showing down. Sophos firewall sits behind the ISP router and not on the edge, meaning it doesn't have public routable IP and instead has 192.168.1.20 IP address for the WAN side with gateway pointing to 192.168.1.1 which is my ISP Optimum Router. Optimum Router has a public IP Address of 68.2.x.x
I am trying to run BGP across the tunnel the IP address for Virtual Private Gateway in AWS is 169.254.218.197, the customer router ip address (of the Sophos router is 169.254.218.198)
I also have another tunnel as well i have 2 tunnels from the Sophos router with the following ip addresses Inside IP Addresses- Customer Gateway : 169.254.29.254/30 and - Virtual Private Gateway : 169.254.29.253/30
Unfortunately I can't ping to any of the IP addresses on either xfrm1 or xfrm2 from the firewall through console. I get no response. On Sophos side it looks like IPSEC tunnel is up and showing green, but on AWS side it's showing up for IPSEC but down for tunnel.
Any ideas how to get that Amazon tunnel up? Is there any ACLs I need to add? I already updated inbound security group on AWS side with the source xfrm1 and xfrm2 ip addresses on port 179. Do I need to allow some other ports? What rules do I need to allow on the actual XG firewall? To make this work?
Somehow I imagine that I should at least be able to ping to tunnel interface IP.
For BGP routing table routes stuck in active. I don't think firewall knows how to get to 169.254.29.253 and to 169.254.218.197
bgp# copy run start
Configuration saved..
bgp# show ip bgp summary
BGP router identifier 192.168.1.20, local AS number 65000
RIB entries 5, using 320 bytes of memory
Peers 2, using 4968 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.29.253 4 64512 0 0 0 0 0 never Active
169.254.218.197 4 64512 0 0 0 0 0 never Active
Total number of neighbors 2
This is what I have for BGP config
router bgp 65000
bgp router-id 192.168.1.20
network 192.168.11.0/24
redistribute connected
timers bgp 10 30
neighbor 169.254.29.253 remote-as 64512
neighbor 169.254.29.253 ebgp-multihop 15
neighbor 169.254.29.253 update-source 192.168.1.20
neighbor 169.254.218.197 remote-as 64512
neighbor 169.254.218.197 ebgp-multihop 15
neighbor 169.254.218.197 update-source 192.168.1.20
!
line vty
no login
Can't ping from the advanced shell
XG135_XN03_SFOS 18.0.5 MR-5-Build586# ping 169.254.218.197
PING 169.254.218.197 (169.254.218.197): 56 data bytes
same for 169.254.29.253
route -n shows this
XG135_XN03_SFOS 18.0.5 MR-5-Build586# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.255.0.0 0.0.0.0 255.255.255.0 U 0 0 0 GuestAP
169.254.218.196 0.0.0.0 255.255.255.252 U 0 0 0 xfrm1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 Port2
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
XG135_XN03_SFOS 18.0.5 MR-5-Build586#
Although 169.254.218.196 is showing the other tunnel subnet for 169.254.29.252 is not showing... also I can't exactly ping either.
Also I am showing no transmit.
xfrm1 Link encap:UNSPEC HWaddr 7C-5A-1C-7D-8A-80-00-00-00-00-00-00-00-00-00
-00
inet addr:169.254.218.198 Bcast:0.0.0.0 Mask:255.255.255.252
inet6 addr: fe80::e862:cd26:a32a:a089/64 Scope:Link
UP BROADCAST RUNNING NOARP MULTICAST MTU:1436 Metric:1
RX packets:5112 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:1769 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:306720 (299.5 KiB) TX bytes:0 (0.0 B)
and some packets showing dropped... I see no TX bytes... as if somehow nothing enters this tunnel... no requests..
I have dynamic option enabled on Sophos VPN, and LAN interface, and propagation of routes enabled on AWS side.
What can cause TX bytes to be 0?
Do I need to do some type of NAT? To make this work? What firewall rules should look like for this specific use case?
Is it just from LAN network of 192.168.11.0/24 to 172.16.1.0/24 LAN ? and vice versa? Why is the vpn tunnel not showing as up up on AWS side?
Any ideas why I can't ping VPN gateway ips such as this one 169.254.29.253 and this one 169.254.218.197
Any help would be greatly appreciated. Thanks in advance.
This thread was automatically locked due to age.