Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 10613 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RED Split mode to IPSEC/Amazon VPC fails

EWIT

I have an SG220 with one office using a RED15, and an Amazon VPC connection via IPSEC. Network layout is:

SG220 LAN: 172.21.0.0/16

RED: 172.22.2.0/24

IPSEC to Amazon VPC: 172.19.0.0/16

Goal: permit traffic between the Amazon VPC and RED networks.

I have set up the following:

  • Added Amazon VPC network to the Split Networks list on the RED connection.
  • Added RED network to the Local Networks on the IPSEC connection.
  • On the Amazon VPC side, VPN Connection, added the RED subnet as a Static Route.
  • Verified the Amazon VPC Route table contains the RED subnet as a route to the gateway, just like the SG LAN

I can actually see the packets get all the way to the Amazon VPC, but no traffic goes back from Amazon to the RED network. Firewall rules seem fine (auto-created everywhere applicable).

Anything I missed?



This thread was automatically locked due to age.
  • 0

    Please insert pictures of the relevant configurations and status pages in the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Here is the remote connection to Amazon: remote network is 172.19.0.0/16:

    On the IPSEC connection I added the Ohio Office RED network as a local network:

    The RED connection is set to Split, with our LAN and the added Amazon network:

    Finally, at Amazon, the routes are propagated:

    From Amazon, I can ping through the tunnel to LAN (172.21.1.20 for example) both ways, but not to/from Amazon to RED network.

    I can ping from LAN to/from the RED network.

    Here is the VERY weird thing: after some random amount of time, the RED network WILL connect to Amazon--and the LAN network can't. It's as if the Sophos-to-Amazon IPSEC connection will only handle one local network at a time, either the LAN or RED, but never both.

  • 0 in reply to EWIT

    The mystery ping problem I cited literally JUST happened.

    Pings from an AWS server  (IPSEC connection) to the LAN (172.21.1.20)  began timing out at the precise moment pings to the RED network passed through (172.22.2.129).

    Pings from the LAN to AWS also failed. 

  • 0 in reply to EWIT

    Whoa!   I'm almost ready to recommend a witch doctor!

    If #1 in Rulz doesn't give any indications, it's time for a packet capture in the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    EUREKA!

    Dug around a lot more and found this: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html 

    Quoting:

    "To provide context for the following requirements, think of each VPN connection as consisting of 2 separate tunnels. Each tunnel contains an IKE Security Association, an IPsec Security Association, and a BGP Peering. You are limited to 1 unique Security Association (SA) pair per tunnel (1 inbound and 1 outbound), and therefore 2 unique SA pairs in total for 2 tunnels (4 SAs). Some devices use policy-based VPN and will create as many SAs as ACL entries. Therefore, you may need to consolidate your rules and then filter so you don't permit unwanted traffic."

    So, the fix:

    • At the UTM, IPSEC connection, remove the multiple "Local Network" entries and configure just one: 0.0.0.0/0 aka Any IPv4.
    • At Amazon, VPC, VPN Connections, add the Static Routes which are on the Sophos side of the connection.
    • Ensure firewall rules are sane on the Sophos; if you want belt and suspenders, also configure the Amazon VPC Subnets Network ACLs and EC2 Security groups.

    No NAT voodoo needed! The tunnel instantly passed both subnets through.

    I hope this will help other Sophos IPSEC Amazon VPC folks too.

Unfiltered HTML