I have a couple of suggestions here:
The objective is to establish communication between specific instances in an AWS subnet and the on-premises server while allowing flexibility to change to another VPC and subnet on our end.
- If you are trying to connect to multiple VPCs, try using Target Gateway as a Transit Gateway (TGW). You will not have to attach and detach since TGW will allow you to reach multiple VPCs.
[+] AWS Transit Gateway and AWS Site-to-Site VPN: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-transit-gateway-vpn.html
Note: If you modify the VPC-VGW association, there will be some interruption in traffic.
- As you said, the VPN tunnel status indicates that it is "up. You don't need to verify Phase 1 and Phase 2 configuration. However, the below document has all the steps that you can follow to troubleshoot the connectivity issue.
[+] How do I troubleshoot VPN tunnel connectivity to an Amazon VPC? https://repost.aws/knowledge-center/vpn-tunnel-troubleshooting
In addition to the above, you can monitor cloud watch tunnel data IN and OUT to check if there's ESP traffic over the tunnel. Also, try capturing the VPC flow logs to see if traffic is reaching instances.
[+] Monitoring VPN tunnels using Amazon CloudWatch - VPN metrics and dimensions - https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html#metrics-dimensions-vpn
[+] Create a flow log that publishes to CloudWatch Logs: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-cwl.html#flow-logs-cwl-create-flow-log
Has the VPN been successful in Phase 1?
If phase 1 is failing, troubleshoot according to the following document.
If phase 2 is failing, troubleshoot according to the following documentation.
Also, if you check the VPN logs and other logs of the customer gateway, you will probably see an error output that leads to the cause of the connection failure.
- Accepted Answerasked 6 months ago
- Accepted Answerasked 3 months ago
- Accepted Answerasked 2 years ago
- Is it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- How do I set up IPsec VPN between virtual PfSense router and an AWS-managed VPN endpoint with static routing?AWS OFFICIALUpdated 6 months ago
- EXPERTpublished 4 months ago