Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 1022 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 connecting to AWS on a Transit GW

Lior Marantenboim

Hello everyone, new to this forum.

We have a Sophos UTM 9 which for a long time was connected to three different VPN connections on three different accounts on AWS that we have. We have now centralized everything on one account and connected the rest through a Transit GW. The problem is that the VPN connection gets estabilished just fine, but we can reach only one of the networks on AWS, and it is not always the same one, it seems to be like the last one that was added to the Remote Gateways configuration.

I have a different VPN connection from Sophos to the office (a Palo Alto device) with several networks defined in the Remote Gateways which works just fine, so it is something specific to this connection with AWS. Has anyone experienced such problem?

Thanks in advance

Lior.



This thread was automatically locked due to age.
Parents
  • 0 in reply to Lior Marantenboim

    Hallo Lior and welcome to the UTM Community!

    In addition to the logs requested in the thread you link to above, also insert pictures of the Edit of the IPsec Connection and Remote Gateway.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob!

    Here are the logs (changing IPs and ranges). In the Remote Gateways below, I am able to connect to the one called "AWS_Fox_net" which is the last one I added.

    2022:07:18-09:37:43 fw01-1 pluto[5702]: "S_AWS_Production_Nav_S2S" #363750: Peer ID is ID_IPV4_ADDR: 'X.X.X.X'
    2022:07:18-09:37:43 fw01-1 pluto[5702]: "S_AWS_Production_Nav_S2S" #363750: ISAKMP SA established
    2022:07:18-09:37:43 fw01-1 pluto[5702]: "S_AWS_Production_Nav_S2S" #363751: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#363750}
    2022:07:18-09:37:43 fw01-1 pluto[5702]: "S_AWS_Production_Nav_S2S" #363752: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#363750}
    2022:07:18-09:37:43 fw01-1 pluto[5702]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="AWS_Production_Nav_S2S" address="172.16.Z.1" local_net="172.16.Z.0/24" remote_net="172.X.0.0/16"
    2022:07:18-09:37:43 fw01-1 pluto[5702]: "S_AWS_Production_Nav_S2S" #363751: sent QI2, IPsec SA established {ESP=>0xcbaa8fe0 <0x650892a7 NATOA=0.0.0.0 DPD}
    2022:07:18-09:37:43 fw01-1 pluto[5702]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="AWS_Production_Nav_S2S" address="172.16.Z.1" local_net="172.16.Z.0/24" remote_net="172.Y.0.0/16"
    2022:07:18-09:37:43 fw01-2 pluto[6023]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="AWS_Production_Nav_S2S" address="172.16.Z.1" local_net="172.16.Z.0/24" remote_net="172.X.0.0/16"
    2022:07:18-09:37:43 fw01-1 pluto[5702]: "S_AWS_Production_Nav_S2S" #363752: sent QI2, IPsec SA established {ESP=>0xc532d922 <0xcf15b2f9 NATOA=0.0.0.0 DPD}
    2022:07:18-09:37:44 fw01-2 pluto[6023]: id="2203" severity="info" sys="SecureNet" sub="vpn" event="Site-to-site VPN up" variant="ipsec" connection="AWS_Production_Nav_S2S" address="172.16.Z.1" local_net="172.16.Z.0/24" remote_net="172.Y.0.0/16"

  • 0 in reply to Lior Marantenboim

    That all looks correct and the log shows that the site-to-site was successfully established.  Either I'm not understanding your network topology or the problem is in the Palo Alto.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Lior Marantenboim

    That all looks correct and the log shows that the site-to-site was successfully established.  Either I'm not understanding your network topology or the problem is in the Palo Alto.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML