Well, I have followed this step-by-step, exactly:
....and while the VPN shows "UP" in both AWS and my Sophos VPN section, I cannot PING or SSH to my test EC2 instance. In the bottom screenshot you'll see I have PING and SSH allowed from anywhere (0.0.0.0/0). I've been at it for hours, first because I mistakenly followed the v17. Even with the v17 how-to, my VPN said it was up in AWS and Sophos VPN section. Then I found v18 and thought for sure I would have success. No such luck.
At one point I got stuck at the part where I couldn't find my "xfrm" interface until I realize that little vertical blue line meant I could expand my WAN interface, thanks to THIS ARTICLE. Again, I thought for sure I would have success. No such luck again, and now I'm at a loss.
The only difference I've noticed between my setup and the setup in the link above, is in Step 9 and Step 10, I have "xfrm1" not "xfrm2".
Anyone know where I should start with troubleshooting?
Thank you for contacting the Sophos Community.
I would recommend you to do a packet capture on the GUI, so you can see if the packets are leaving the IPsec tunnel (xfrm) of the XG, so you…
I would recommend you to do a packet capture on the GUI, so you can see if the packets are leaving the IPsec tunnel (xfrm) of the XG, so you know what to troubleshoot if the XG side or the AWS side.
When doing the pcap in the GUI use the IP of the Ec2 instance as the host.
Thanks. I began a PING, then added the EC2 instance IP 10.10.1.93 as the Destination IP (host?):
Please select Ping for the VPN zone.
If not I will try to recreate your configuration, see if something might be missing.
Thanks, I actually checked them all and no change. I'm about to break it all down again for take 3 ...
I have asked for a review of the RR.
However, after checking, it seems that during the "Routing Options" Dynamic is selected instead of static. (That happened to me when I was following the RR)
Additionally, remember to delete and recreate the site-to-site VPN connection, the Virtual Private Network, and Customer Gateway, as well as to update the Routing Table once you recreate them.
emmosophos thanks. I just looked at my existing setup, where it says it's connected but I cannot PING or SSH back and forth. I do have static configured. About to go through the document again. I just deleted my S2S VPN, Virtual Private GW, and Customer GW for starters.
Make sure that on the AWS side the tunnel actually says UP.
Virtual Private Network (VPN) >> Site-to-Site VPN Connections >> Tunnel Details >> Status (should say UP)
Once the status is UP, the traffic should start to flow.
Same thing as the first 3 times. VPN shows "UP" on both ends but can't PING or SSH to my test EC2 linux box.
Two things I noticed while going through the setup this time:
You can leave the Local ID empty for both ends, that is only needed if the XG is behind a NAT device, not seeing your real Public IP.
Still the same -- I had to change the "Local ID type" from IP address back to the default "Select local ID" option because otherwise it was forcing me to enter an IP address in the "Local ID" field. Going to watch a few episodes of Ozark... my head hurts.
Did you create a new Ec2 instance this time?
No. I've only been deleting/recreating the VPN stuff, and attaching it to my existing test VPC (on a 10.10.0.0/16) network, which then has a 10.10.1.0/24 subnet in it with my test EC2 instance at 10.10.1.93. I'm guessing one shouldn't have to completely delete/recreate an EC2 instance... instead, just make sure your newly created Virtual Private Gateway is attached to the existing test VPC and the correct routing and firewall rules are in place. In any case, I just created a new EC2 instance (10.10.1.13) and cannot PING or SSH to that either. My VPC and Security Group was created using the "Set the AWS side" section of the Sophos v17 AWS VPN tutorial -- because the Sophos v18 AWS VPN tutorial completely leaves all of the VPC creation stuff out.