Sophos XG failover VPN to AWS VPC

Hello DO,
   That is a great video-watched it many times. In my case, I'm trying to configure for UTMv9 using the vpn config file. I have the two tunnels in UP/Green status on both sides. I can ping the instance on my Test_VPC. I only have one VPC as a test-it runs a Linux AMI with ip address 10.16.2.83. I followed AWS doc. how-to configure PuTTY to load the key pair and I use ec2-user@10.16.2.83 to connect to console.

   I receive an error, "network error connection refused." I get the system logs for the instance but nothing there points to the problem exactly. My on-prem UTM has multiple internet interfaces grouped in uplink balancing. My Amazon VPC is configured on the topmost interface. Have you found the need to set a multipath rule so ssh traffic will force out a specific interface to touch the instance on amazon VPC?

   The Test_VPC is a private subnet. I cannot (do not want to) reach it from the internet. It is solely a private subnet with the hardware VPN access through my UTM's ipsec tunnel.

Lot to consider but thanks, Patrick in Arizona

Hello, I can up the tunnel but not able to ping the EC2 Machine on AWS, do you have any sugestion ?

Great Video , congrats .

With Best Regards.

   'Twas a while back, memory's vague. I seem to remember we could ping and the green lights were on. But we could not ssh (puTTY) on port 22. We had to verify the security policy was the same on both ends; we concluded that from some error messages in the IPsec log. Truth be told, I tore down the AWS/EC2 account altogether and now drink Azure Kool-Aid. In here, Site-to-site VPN | IPsec | Connections -> Edit: Drop down "Policy:". So cancel that and click the "Policies" tab. This is where we created a new IPsec policy with specific settings. If an existing policy was the same, we copied it and gave it an identifiable label. If it helps, here's my Azure VPN settings:

   We found some hints about this using google-fu. In our case, the settings above fit with the Azure destination side. The connection started to work as advertised. It helped to watch the IPsec log when looking for clues though I cannot recall what messages we read. Of course, now it works without error (knock on wood). Hope this helps. PatrickAZ

Hello 

Thanks for the contact

After some adjustments, woking.

With Best Regards 

"woking?" like stir fry veggie noodles? Looks like your typing with the same fat fingers I do.

Glad to hear you're oof & running.

Hi, How to route to AWS when I have RED devices, and several LANs etc.

AWS told me, configuring them at tunnel is not a good idea and should use routing policy.

Any idea?

regards

   I don't see why not. A RED device is, in general, a secure bridge or stretched LAN extension (with a VPN). That is similar to an IPsec tunnel that connects to the VPC. The tunnel traffic is encrypted-that's a good thing. Not sure why AWS would steer someone away from a link like that. Also, a routing policy would just force the traffic via a pre-defined interface, the VPC.

   The difference between one or the other would be subtle. Perhaps one method is pricier or faster?
PatrickAZ

Hi,

This error is shown at log viewer: