I am running Sopohs UTM 9.504-1 and am having trouble connecting my UTM to an AWS VPC. It seems all the 'hard' parts are working. I have used the site-to-site VPN-> Amazon VPC->Setup->Import Via Amazon VPC Configuration tool. I have also set the 'Local Networks' in the setup screen to be my local network range. Once I do that, everything seems like it comes up very quickly. The status page on the UTM shows green for both tunnels, and displays ROUTES of the VPC CIDR range correctly without me specifying it manually (on only one tunnel, as expected). AWS shows that the tunnels are UP. I have verified that the route tables are propagated correctly and, after connection, I can see the network I specified in the 'Local Networks' on the UTM is in that route table, with a destination of the VPG. I have also checked that NACLs and security groups are allowing the traffic.
I can see in my firewall logs that I am dropping IGMP requests from the AWS connection 169.254.x.x (which I think is expected and harmless), so it does appear that data is flowing through the pipe. I have also written a firewall network rule logging 443 requests to the AWS VPC range so I can see that requests are at least making it to the router - which they are.
Despite all of this, I can't seem to pull up an SSL webserver (or anything else for that matter, but 443 is all that is allowed at this moment). I have two other sites using Cisco ATAs also connecting to the same VPC (on non-conflicting ranges) working correctly, so I know the webserver is functioning. I can't seem to find a log to see what happens after the firewall permits the 443 packet destined for the VPC.
The only thing that concerns me is in the IPSec logging, on connection I get the following line: (I am not sure if the local_net and remote_net both being 0/0 is expected or not)
id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="vpn-XXXXXXXX [2]" address="MY_UTM_STATIC_IP" local_net="0.0.0.0/0" remote_net="0.0.0.0/0"
I have read https://community.sophos.com/kb/en-us/120922 and the linked users guide, and none of that seems to infer that I need to have a NAT or anything else. I have seen some posts which infer they set it up over the 169.254.x.x address, but I am not sure if it is a correct solution and unsure how to rewrite the NAT since the UP tunnel could change over time.
Any help getting this setup would be much appreciated!
This thread was automatically locked due to age.
