Well, I have followed this step-by-step, exactly:
....and while the VPN shows "UP" in both AWS and my Sophos VPN section, I cannot PING or SSH to my test EC2 instance. In the bottom screenshot you'll see I have PING and SSH allowed from anywhere (0.0.0.0/0). I've been at it for hours, first because I mistakenly followed the v17. Even with the v17 how-to, my VPN said it was up in AWS and Sophos VPN section. Then I found v18 and thought for sure I would have success. No such luck.
At one point I got stuck at the part where I couldn't find my "xfrm" interface until I realize that little vertical blue line meant I could expand my WAN interface, thanks to THIS ARTICLE. Again, I thought for sure I would have success. No such luck again, and now I'm at a loss.
The only difference I've noticed between my setup and the setup in the link above, is in Step 9 and Step 10, I have "xfrm1" not "xfrm2".
Anyone know where I should start with troubleshooting?
Thank you for contacting the Sophos Community.
I would recommend you to do a packet capture on the GUI, so you can see if the packets are leaving the IPsec tunnel (xfrm) of the XG, so you…
I would recommend you to do a packet capture on the GUI, so you can see if the packets are leaving the IPsec tunnel (xfrm) of the XG, so you know what to troubleshoot if the XG side or the AWS side.
When doing the pcap in the GUI use the IP of the Ec2 instance as the host.
Thanks. I began a PING, then added the EC2 instance IP 10.10.1.93 as the Destination IP (host?):
What do you have set for your Firewall Rules that are applied to the VPN? Also check your AWS Route table to make sure you have a route back to your local network over the VGW. When dealing with AWS VPN attachments AWS doesn't know what the route is back to your network unless you add the routes to the route table.
Can you try changing the IPSec from tunnel interface to site-to-site. Is there a reason you are using a tunnel interface?
take a look at this. https://support.sophos.com/support/s/article/KB-000038437?language=en_US
ive only used the tunnel interface when dealing with multiple networks and bgp. Otherwise I use site to site
I changed it to site-to-site, but when I clicked Save, I got "local/remote subnet configuration conflict", and noticed both of those boxes on the bottom of the IPSec connection page were red (meaning required). So I filled them in with my local subnet and the remote AWS subnet of the VPC (10.10.0.0/16) and clicked Save, and the tunnel successfully connected, but still no PINGS or SSH. Additionally, now I notice there is no xfrm1 interface under my WAN port. And because of that, my static route to AWS (in "Configure", click on "Routing" → Under "Static Routing"), is gone. So I recreated one to my one-and-only AWS subnet (10.10.1.0/24) and used the Port2 WAN interface. Now PINGs to my AWS box 10.10.1.93 come back as "Destination host unreachable" instead of timing out. I think the "Sophos XG Firewall v18 to AWS VPN Gateway IPSEC Connection" needs some editing because I have the exact same setup and followed it twice without success. Switching back and forth between the v17 and v18 how-to seems weird.
So based on the capture, the Ping is leaving the XG on the Correct interface using the Rule ID 6, so the issue is the traffic coming back from the AWS side.
Most likely the Ec2 is sending the replies packet a different way.
Confirm the routing table in AWS is correct, and the Ec2 and VPN has the correct ACL, does the Ec2 instance has only a Private IP or also a Public IP attached?
The EC2 instance only has a private IP of 10.10.1.93 -- there is no public IP. I am not sure what to do in the Sophos ACL for VPN -- the v18 how-to says nothing about that so I didn't do anything there. Here are some screenshots:
That is very odd. Did you try looking at the link I sent above? Maybe there is something missing in the config.