Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 5848 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to route Internet traffic through the IPSec site-to-site VPN to AWS?

Adam Vu

I'm going to build my whole datacenter on private subnet AWS VPC (LDAP, RADIUS, Database, etc.)

I already set up IPSec site-to-site VPN by the following guide.

https://community.sophos.com/kb/en-us/133057

Tunnels are up and working well. I can Ping and SSH normally to the database servers.

Now I want to route all traffic from my local LAN to the VPC, but I cannot reach the Internet.

I tried to config the Remote Subnet of VPN in the firewall as "Any", but it still doesn't work.

Any idea or help is really appreciate !!!



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Keyur

    Hey  and 

    The packet capture utility shows ping to 8.8.8.8 violation because of firewall rule.

    So I added 2 firewall rules:

    - LAN_to_VPN: Source: LAN, Local Subnet --> Dest: VPN, Any

    - VPN_to_LAN: Source: VPN, Any --> LAN, Local Subnet

    Still can ping only the IP inside AWS VPC, cannot ping the Internet.

    Now the packet capture utility shows ping to 8.8.8.8 forwarded because of the new 1st rule.

    The result of traceroute is stop at the gateway of the LAN:

    $ traceroute 8.8.8.8

    1  192.168.0.1  (192.168.0.1)  3.455 ms  1.390 ms  1.258 ms

    2  *  *  *

    3  *  *  *

    What firewall rule should I add more? Or the problem may be at the AWS site?

  • +1 in reply to Adam Vu

    Hi  

    If the traffic is getting forwarded and not getting any reply packet please try to capture the packet at the AWS side and check whether the packets are being received at AWS site or not. No further firewall rules are needed. Please verify at the gateway level.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    The AWS VPC does not allow transit traffic. Cannot push Internet traffic to the VPN Gateway

Unfiltered HTML