Sophos Firewall v18 AWS site-to-site VPN connected but no traffic PING SSH

Hello there,

Thank you for contacting the Sophos Community.

I would recommend you to do a packet capture on the GUI, so you can see if the packets are leaving the IPsec tunnel (xfrm) of the XG, so you know what to troubleshoot if the XG side or the AWS side.

When doing the pcap in the GUI use the IP of the Ec2 instance as the host.

Regards,

Thanks. I began a PING, then added the EC2 instance IP 10.10.1.93 as the Destination IP (host?):

Hello,

So based on the capture, the Ping is leaving the XG on the Correct interface using the Rule ID 6, so the issue is the traffic coming back from the AWS side. 

Most likely the Ec2 is sending the replies packet a different way.

Confirm the routing table in AWS is correct, and the Ec2 and VPN has the correct ACL, does the Ec2 instance has only a Private IP or also a Public IP attached?

Regards,

The EC2 instance only has a private IP of 10.10.1.93 -- there is no public IP. I am not sure what to do in the Sophos ACL for VPN -- the v18 how-to says nothing about that so I didn't do anything there. Here are some screenshots:

Hello,

Please select Ping for the VPN zone.

If not I will try to recreate your configuration, see if something might be missing.

Regards,

Thanks, I actually checked them all and no change. I'm about to break it all down again for take 3 ...

Hello djb,

I have asked for a review of the RR.

However, after checking, it seems that during the "Routing Options" Dynamic is selected instead of static. (That happened to me when I was following the RR)

Additionally, remember to delete and recreate the site-to-site VPN connection, the Virtual Private Network, and Customer Gateway, as well as to update the Routing Table once you recreate them.

Regards,

emmosophos thanks. I just looked at my existing setup, where it says it's connected but I cannot PING or SSH back and forth. I do have static configured. About to go through the document again. I just deleted my S2S VPN, Virtual Private GW, and Customer GW for starters.

Hello,

Make sure that on the AWS side the tunnel actually says UP.

Virtual Private Network (VPN) >> Site-to-Site VPN Connections >> Tunnel Details >> Status (should say UP)

Once the status is UP, the traffic should start to flow.

Regards,

Same thing as the first 3 times. VPN shows "UP" on both ends but can't PING or SSH to my test EC2 linux box.

Two things I noticed while going through the setup this time:

1. Step 6 figure 2:"SHA2 with 96-bit truncation" is unchecked by default for me, so I checked it since that's what shows in the image
   
   
2. Step 7 figure 4: Listening interface and LocalID for me have the same IP address - my WAN IP address of the Sophos Firewall

Same thing as the first 3 times. VPN shows "UP" on both ends but can't PING or SSH to my test EC2 linux box.

Two things I noticed while going through the setup this time:

1. Step 6 figure 2:"SHA2 with 96-bit truncation" is unchecked by default for me, so I checked it since that's what shows in the image
   
   
2. Step 7 figure 4: Listening interface and LocalID for me have the same IP address - my WAN IP address of the Sophos Firewall

Hello there,

You can leave the Local ID empty for both ends, that is only needed if the XG is behind a NAT device, not seeing your real Public IP.

Regards,

Still the same  -- I had to change the "Local ID type" from IP address back to the default "Select local ID" option because otherwise it was forcing me to enter an IP address in the "Local ID" field. Going to watch a few episodes of Ozark... my head hurts.

Hello,

Did you create a new Ec2 instance this time?

Regards,

No. I've only been deleting/recreating the VPN stuff, and attaching it to my existing test VPC (on a 10.10.0.0/16) network, which then has a 10.10.1.0/24 subnet in it with my test EC2 instance at 10.10.1.93. I'm guessing one shouldn't have to completely delete/recreate an EC2 instance... instead, just make sure your newly created Virtual Private Gateway is attached to the existing test VPC and the correct routing and firewall rules are in place. In any case, I just created a new EC2 instance (10.10.1.13) and cannot PING or SSH to that either. My VPC and Security Group was created using the "Set the AWS side" section of the Sophos v17 AWS VPN tutorial -- because the Sophos v18 AWS VPN tutorial completely leaves all of the VPC creation stuff out.