I want to establish a site-to-site IPsec VPN connection between an AWS EKS-Kubernetes-Cluster and a server from a different provider using AWS Site-to-Site VPN. Pings get through the VPN, but TCP traffic does not.
The server on the other end runs Ubuntu 20.04 and uses libreswan. The configuration file from AWS for the VPN for openswan has been altered in two ways (that I think should not matter):
auth=esp
has been commented out as libreswan would not start otherwise (libreswan 3.29)
- The VPN has been configured to use VTI.
When sending a HTTP request from the AWS site:
tcpdump
on the libreswan-site shows SYN arriving and SYN-ACK being sent back while tcpdump
on the EC2-instance (and in a pod as well) only registers SYN.
All incoming traffic has been allowed in security groups and ACLs etc.
I have set up SNAT as recommended here and have confirmed that SNAT works using traceroute
. I think because of SNAT it should not matter anymore that EKS is used in this VPC for this issue.