VPC Site-2-Site VPN issue
Hello,
We have setup a Site-2-Site VPN from a VPC of ours to a Fortigate firewall. However there appears to be a routing issue. When we ping their firewall, they receive the ICMP and reply back. But I do not receive the reply. It's the same for other types of traffic types.
My question is how I would capture and see if the ICMP reaches us? Should I do it on the network interface of the EC2 the traffic is destined for? Or on a higher level? We allow ICMP from 0.0.0.0 on the EC2 SG.
Thanks
Adding some images here
- 新しい順
- 投票が多い順
- コメントが多い順
I actually solved this by adding the entire network 172.31.0.0/16 in the VPN tunnel instead of just the single EC2.
You cant add 172.31.0.0/16 to the VPN Static Routes on the AWS side as this is your VPC CIDR Range. You only add routes here for networks to route VIA the VPN such as the 10.156.102.0/24 and then propagate to the VGW.
I suggest you remove 172.31.0.0/16 or your going to have issues as its overlapping your local VPC and its only working because local has a higher priority then the VGW
I did not have to remove it, it seems that AWS was smart enough to figure this out and ignore propagating that static route. But sure, it should be removed still.
It’s because a /32 is more specific than a /16. Defo remove it or you will be in for a world of pain. Cheers.
Are you trying to ping over the tunnel, or to the CGW of the Fortigate?
@Max Clements: when we do pings from our EC2 (172.31.38.164) we target a host that's behind the remote fortigate. For an example the ip-address 10.156.102.10.