1

I've been following the instructions here: https://aws.amazon.com/blogs/networking-and-content-delivery/simulating-site-to-site-vpn-customer-gateways-strongswan/

I can successfully get the VPN up and running, but I can't successfully ping internal IP addresses from behind the VPN.

Here's my setup: "On-prem" is simulated using a VPC with IP address: 172.19.0.0/16. The VPN is deployed on an EC2 instance in the subnet 172.19.16.0/20. This subnet has the following route table:

Destination Target
172.19.0.0/16 local
172.21.0.0/16 eni-XXXXXXXXX
0.0.0.0/0 igw-XXXXXXXXX

Where eni-XXXXXXXXX is the network interface of the EC2 instance that has the VPN deployed on it.

My cloud VPC has the CIDR range: 172.21.0.0/16. I have an EC2 instance deployed in the 172.21.32.0/20 subnet which has the following route table:

Destination Target
172.21.0.0/16 local
172.19.0.0/16 vgw-XXXXXXXXX
0.0.0.0/0 igw-XXXXXXXXX

Where the vgw-XXXXXXXXX is the virtual gateway associated with the VPN I have.

I can send traffic from my "on-prem" VPC into my cloud VPC successfully, but no traffic comes back out. I've tested this by SSHing into an EC2 instance in my "on-prem" VPC and then pinging a private IP address of an EC2 instance in my cloud VPC and I can see the pings are received by the EC2 instance in the cloud VPC, but my "on-prem" instance never receives the response.

I have checked my security groups and NACLs and they are not preventing this type of traffic.

Is there something misconfigured here?

nlarusstone
  • 29
  • 5
  • did you use a route propagation or manually entered your onpremise route in the cloud route table ? try propagation if it works then the problem will be around NACLS, SG, if the propagation does not work something wrong with the tunnel – b.b3rn4rd May 02 '22 at 23:34
  • I've tried both route propagation and not having route propagation. My NALCS and SG are both open to all traffic from all locations (I know this is bad practice, but just for the purpose of testing), so I'm pretty sure that's not the issue. The tunnel says it's up, but how would i further test to ensure traffic is making its way through there? – nlarusstone May 03 '22 at 01:06

1 Answers1

0

This is not an entirely satisfying answer, but I moved from using a Virtual Private Gateway to using a Transit Gateway and I was able to get it to work.

nlarusstone
  • 29
  • 5
  • Would you mind sharing the details of how did you use the transit GW to make it work? I also tried TGW and still not working. Any help is really appreciated. Thank you very much. I have also posted my config here https://stackoverflow.com/questions/76330108/strongswan-in-aws-ec2-in-vpc1-to-aws-site-to-site-vpn-in-vpc2-tunnel-working-b – Manoj May 25 '23 at 11:56