Fixing intermittent connectivity issues between AWS Site-to-Site VPN and Sophos firewalls

So if you setup a VPN between an AWS account and an on premise network with a Sophos firewall as the customer end device, it should work perfectly if you only have one route to the on premise network. But, when you start adding more routes to the VPN, you will start seeing connection dropping intermittentently.

I was going crazy because of this problem, and could not find the reason for it. Finally, I found the reason in the documentation itself.

Each VPN connection consists of 2 separate tunnels. Each tunnel contains an IKE Security Association, an IPsec Security Association, and a BGP Peering. You are limited to 1 unique Security Association (SA) pair per tunnel (1 inbound and 1 outbound), and therefore 2 unique SA pairs in total for 2 tunnels (4 SAs). Some devices use a policy-based VPN and create as many SAs as ACL entries. Therefore, you may need to consolidate your rules and then filter so you don’t permit unwanted traffic.

The Sophos VPN uses a policy based VPN, and it creates multiple SAs when adding multiple routes. So if you face this problem, you need to add a bigger network range as the route, and control the traffic using firewall rules.