Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 41 subscribers
  • Views 1899 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

cannot complete inbound tcp connections over site-to-site VPN

fustyler

I've completed site-to-site VPN setup with AWS using transit gateway using Sophos XG firewall.

topology

internal network (10.x.x.x) ------sophos-xg------site-to-site-vpn-AWS--------vpn-gw-----transit-gateway-----vpc (172.31.0.0/16)

 

what works:

- ping from internal network to vpc and ping from vpc to internal network

- outbound tcp session to AWS VPC

- traceroute from internal network to vpc

 

what doesn't work:

- traceroute from vpc to internal network

- AWS VPC tcp inbound connection into internal network

 

For the inbound TCP connection (test to port 9999), I can see the VPC on 172.31.x.x packet reaching the firewall on WAN interface 218.x.x.x. Internal network is 10.x.x.x ip address.

 

is DNAT rule required to make this work? I tried playing with it but haven't got it to work either.

Thanks.

 


This thread was automatically locked due to age.
  • 0

    Forgot to mention the VPN tunnel is established and routing has been set up on both sides.

     
  • 0

    Actually i would recommend to (wait) and update to V18. 

    V18 will introduce Route Based VPN with VTI.

    This will make your Setup much easier. 

     

    Is this a production environment or are you happy to try a Early Access Version of V18?

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for the reply.

    This is for a production environment. 

    When is the expected release date of V18?

    Is there any workaround for now to fix the issue?

     
  • 0 in reply to fustyler

    Route Based VPN Would not be a Workaround, it would be a better approach to this kind of VPN.

     

    I guess something is blocking the traffic, maybe AWS or maybe XG.

    You should Dump the traffic on XG and take a look, if the traffic is reaching XG.

    Maybe try a drppkt on the Shell to see dropped Packets.

     

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    The attached screenshot I showed from the logs displays the packet drops going to the wan interface of the internal network firewall.

     
  • FormerMember
    0 FormerMember in reply to fustyler

    Hi fustyler,

    When you say you are trying to connect into internal network using TCP connection, why we see traffic destination as public IP address? It shouldn't be the IP address of internal network? I am saying this because inbound interface is ipsec0 so the inbound traffic is routed through IPsec tunnel and XG firewall expects traffic destination as internal IP address from internal network matching IPsec connection profile.

    Is there any NAT rule configured on AWS side? 

    Thanks,

     

  • 0 in reply to FormerMember

    there is no NAT set up on the AWS side.

     
  • 0 in reply to fustyler

    Hi  

    How many SAs do you have configured in your ipsec policy on the XG?

    On v17.x/v16.x, the XG is a policy based IPsec device.  AWS only supports a single SA within your tunnel.

    For traceroute problem, you would need to enable IGMP/PING on XG and AWS to allow it.

    Please remember that you will need to create firewall rules.

    Also inside your IPsec networks, you must make sure the far side is included in the configuration otherwise it will not route.

    However I do agree with  that you should utilize v18 and choose the option to use route based VPN.

    Thanks!

    KingChris
    Community Support | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to KingChris

    firewall rules are in place to allow all traffic bi-direction as the first rule.

    AWS confirmed IPSec tunnel was formed correctly after reviewing packet captures. 

     

     

     
Unfiltered HTML