Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Site-to-Site VPN - On-prem network connectivity across AWS VPC subnets?

0

I've configured a single Site-to-Site VPN connection between my on-prem lab network and my AWS VPC subnet (see sample diagram at https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html#SingleVPN )

Site-to-Site VPN Connection configuration details

On-Prem subnet:  192.168.0.0./24  
AWS subnet:  172.31.32.0/20

I'm able to ping private IP addresses both to/from EC2 instances residing in both subnets with no problems.

192.168.0.0./24 <------> 172.31.32.0/20 GOOD

However, I need to be able to also access my on-prem lab subnet from another AWS Subnet-- 172.31.64.0/20.

192.168.0.0./24 <------> 172.31.64.0/20

Is this supported or do I need another S2S VPN connection? So far, I've seen and recorded inconsistent behavior. At one point, I was able to ping from 172.31.64.0/20 to the on-prem subnet 192.168.0.0/24. It no longer works. And as far as I know, I've never been able to ping from the on-prem subnet to the subnet 172.31.64.0/20.

I've had trouble finding any support docs regarding what seems to be a very basic issue. I may be missing something simple here, so any advice would be greatly appreciated. I realize there may be limitations due to my on-prem VPN device, Meraki MX60 (does not support BGP, nor active/standby tunnels).

Thanks in Advance.

Edited by: djl2 on Apr 8, 2019 2:41 PM

More info-- It appears my on-prem Meraki VPN device can support only 1 AWS subnet per VPN connection. Final (dumb) question: Is there any possible way to configure the network so that traffic from my on-prem network to the AWS subnet can be routed through to an additional AWS subnet?

From the AWS S2S VPN configuration text file--

! AWS hosted VPN solution is a route-based solution, since Cisco Meraki only supports policy-based solution you will need to limit to a single SA. So please make sure to
! select "yes" for just one subnet, if you have more than one subnet, consolidate them into a single subnet before proceeding with the VPN configuration.

Under Organization-wide settings --> Non-Meraki VPN peers  
Name: ipsec-vpn-0xxxxxxxxxxx  
Public IP: 18.x.x.x  
Private subnets: <vpc_subnet>/<vpc_subnet_mask>  
IPsec policies: Click “Default”, select “AWS” under the Preset menu and "Update"  
Preshared secret: t4xxxxxxxxxxxxxxx  
Availability: All networks
Themen
Vernetzung & Bereitstellung von Inhalten
Tags
Amazon VPC
Sprache
English
djl2
gefragt vor 5 Jahren646 Aufrufe
1 Antwort
0

I found the answer for my situation. It's quite simple actually (as I figured it would be).

On my on-prem network's VPN connection settings (Meraki device), I changed the "private subnets" value to use the entire VPC CIDR block value (172.31.0.0/16) instead of a single subnet CIDR blocK (172.31.32.0/20). I'm now able to ping all AWS subnets from my on-prem lab network.

Final note: Even though I was originally attempting access another single subnet from my on-prem network, I'm fine with allowing S2S VPN connectivity to all other subnets on the VPC as well.

djl2
beantwortet vor 5 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt