By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Site to Site VPN Setup

0

I am new to AWS...just setup my first VPC.

One subnet 10.12.0.0/16 Correction one subnet 10.12.128.0/20....the VPC has a CIDR of 10.12.0.0/16

One EC2 (Windows) 10.12.132.112

One site to site vpn with corporate Watchgard Firebox (10.1.0.0/16)

Tunnels show up.

To test I have one computer at corporate (10.1.7.107)

In the security group I created rules to allow all traffic...inbound and outbound.

Windows firewall configured to allow pings on both computers.

When I try to ping I am not getting responses.

On the corporate computer, I can get to the Watchguard router (10.1.0.1)

On the EC2 Windows machine, I can ping it's gateway (10.12.128.1)

What am I missing?

-Thanks

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)
Language
English
rePost-User-4727447
asked a year ago417 views
1 Answer
0
Accepted Answer

Are you using Static route based or BGP based VPN? Does route table associated with the EC2 subnet have route for the Corporate CIDR pointing towards VGW? See more troubleshooting steps in the Knowledge center article below:

https://aws.amazon.com/premiumsupport/knowledge-center/vpn-tunnel-troubleshooting/

profile pictureAWS
EXPERT
Tushar_J
answered a year ago
  • rePost-User-4727447
    a year ago

    Static route based.

    Yes, the EC2 subnet has a destination route (10.1.0.0/16) pointed to the vgw.

    Also, I just used the Reachability Analyzer to test from the Windows EC2 to computer behind the corporate Watchgard Firebox 10.1.7.107.

    The result was "Reachable"

  • Tushar_J EXPERT
    a year ago

    If you have checked Security groups, NACLs, route and the VPN tunnels are UP there is not much else to check on AWS side other than perhaps running tcpdump on the EC2 and see if the request and response are seen when you ping from Corporate test machine. As a next step check the CGW (Watchgard) logs. Also test other TCP protocols such as SSH/RDP instead of ping, with this you can check the TCP 3 way handshake in the tcpdump captures - see the SYN, SYN-ACK, ACK....see which side is not responding.

  • rePost-User-4727447
    a year ago

    I am not familar with tcpdump but I did install wireshark. I think that would provide what you are looking for.

    It looks like the ping request are making it to the EC2 and the EC2 is returning them. (there are some "no response found") entries.

    This is from the EC2.

  • rePost-User-4727447
    a year ago

    No. Time Source Destination Protocol Length Info 76 0.867567 10.1.7.107 10.12.132.112 ICMP 74 Echo (ping) request id=0x0001, seq=11679/40749, ttl=127 (reply in 77) 77 0.867640 10.12.132.112 10.1.7.107 ICMP 74 Echo (ping) reply id=0x0001, seq=11679/40749, ttl=128 (request in 76) 159 2.142234 10.12.132.112 10.1.7.107 ICMP 74 Echo (ping) request id=0x0001, seq=1036/3076, ttl=128 (no response found!) 569 5.866597 10.1.7.107 10.12.132.112 ICMP 74 Echo (ping) request id=0x0001, seq=11680/41005, ttl=127 (reply in 570) 570 5.866674 10.12.132.112 10.1.7.107 ICMP 74 Echo (ping) reply id=0x0001

  • rePost-User-4727447
    a year ago

    Ran wireshark on the corporate computer. Only seeing outbound pings requests...nothing from the EC2

    No. Time Source Destination Protocol Length Info 282 2.355061 10.1.7.107 10.12.132.112 ICMP 74 Echo (ping) request id=0x0001, seq=12208/45103, ttl=128 (no response found!) 651 7.340428 10.1.7.107 10.12.132.112 ICMP 74 Echo (ping) request id=0x0001, seq=12209/45359, ttl=128 (no response found!) 1217 12.359880 10.1.7.107 10.12.132.112 ICMP 74 Echo (ping) request id=0x0001, seq=12210/45615, ttl=128 (no response found!)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content