Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 5591 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN traffic across AWS S2S

nirthcontrol554
Hello everyone,

I am currently having an issue when users vpn into the Sophos located at our home office facility, they cannot access the Amazon VPC across the site to site VPN we have set up with AWS. Whenever I do advertise the local vpn subnet, the tunnel becomes intermittent and produces "received delete sa payload replace ipsec state in 10 seconds" errors, which then in turn cause the tunnel to drop every 10 seconds. I know this isnt much information at the moment, but I will send whatever is needed to anyone willing to help troubleshoot this issue. Thank you.


This thread was automatically locked due to age.
Parents
  • 0
    Hi, and welcome to the User BB!

    It's not clear whether you're using the 'Amazon VPC' redundant connection or a standard 'IPsec' VPN in 'Site-to-Site'.  If the latter, How to allow remote access users to reach another site via a Site-to-Site Tunnel might help you.

    Take particular note of the hint about being sure that the "VPN Pool (***)" subnets don't conflict. That's the first thing I thought when I saw your post - an IP conflict.

    Cheers - Bob
    PS Advice is given for free here by many of us, but I expect that everyone charges for one-on-one help.
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I am using a standard IPSec VPN site-to-site. My internal subnets don't conflict with my VPC subnets. For my office net, I am using 10.0.0.0/16 and for my VPC I am using 172.16.0.0/16. But you may have a point, I will double check it again. It is just that a lot of the more useful notes are for UTM and I am trying to do this with an XG. Ugh. I could redo the Amazon VPN which is currently using dynamic routing (BGP) and use static instead. But I chose dynamic because the XG claim it supports it.
Reply
  • 0 in reply to BAlfson
    I am using a standard IPSec VPN site-to-site. My internal subnets don't conflict with my VPC subnets. For my office net, I am using 10.0.0.0/16 and for my VPC I am using 172.16.0.0/16. But you may have a point, I will double check it again. It is just that a lot of the more useful notes are for UTM and I am trying to do this with an XG. Ugh. I could redo the Amazon VPN which is currently using dynamic routing (BGP) and use static instead. But I chose dynamic because the XG claim it supports it.
Children
No Data
Unfiltered HTML