Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 5411 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

AWS site-to-site VPN?

NewImage

Hi

Has anyone been able to get a site-to-site IPsec VPN to work with AWS VPCs?

I was being able to get the VPN tunnel established by using the downloadable configuration file from AWS, but I'm unable to ping any of my devices across it in the VPC.

Troubleshooting is difficult because I dont know how to log traffic over the IPsec tunnel to even see if my pings are being routed correctly.

And the guides I found are not very detailed. Does anyone have any success stories or know of a good guide for this?

Thanks for any help.



This thread was automatically locked due to age.
  • 0

    First, you need the REF_ of the tunnel (I haven't tried this, but it should work):

    cc get_objects 'ipsec_connection' 'amazon_vpc' |grep 'ref'

    Say that the result was REF_IpsAmaTunnel1.  Now, watch the traffic with

    # espdump -n --conn REF_IpsAmaTunnel1 -vv

    Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you again, bob for all of your help

    Those commands did work, but it looks like it only shows the status of the tunnel. When I ping across it (that I can do now :)) it does not show up.

    14:48:07.918917 IP (tos 0xc0, ttl 233, id 48364, offset 0, flags [none], proto UDP (17), length 144)
    34.xxxx.xxxx.xxxx.4500 > xx.xx.xxx.xxxx.4500: [no cksum] UDP-encap: ESP(spi=0x503f1649,seq=0xa3), length 116
    14:48:07.918954 IP (tos 0xc0, ttl 64, id 11605, offset 0, flags [none], proto UDP (17), length 128)

    I was able to get the VPN working eventually. There is a step in configuring AWS to propagate the routes that I never turned on. After turning on route propagation, my internal networks showed up on the route table on aws, and I can now ping across it to my private servers.

    This guide helped
    https://www.bonusbits.com/wiki/HowTo:Setup_Site_to_Site_VPN_from_AWS_VPC_to_Sophos_UTM


Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?