Hi There:
I'm NOT able set up the Site to Site VPN, the Tunnel status is Always down. Any kind suggestion on this? Below is the steps what I have done to simulate On-Premise to AWS. Thanks.
I guess the Step4 might be the key reason? I'm trying to setup Static Routing, but looks like we are ONLY allowed to create dynamic one? since the BGP ASN is required to be set? Months ago, the Custom Gateway front page is NOT like that, no BGP ASN required, but with selection: Static or Dynamic.
Attention here: I'm trying to use Static Routing, NOT Dynamic.
1 - Created Two VPCs in one region naming VPC-AWS(10.100.0.0/16) and VPC-OnPremise(10.200.0.0/16)
2 - Created OnPremise-Public-Subnet(10.200.1.0/24, and auto assign public ip), Attached the subnet to Newly created Route(OnPremise-Public-Route), which added entry to IGW;
Created AWS-Private-Subnet(10.100.1.0/24)
3 - Created Two Instances: OnPremise-Instance under OnPremise-Public-Subnet(automatically generated public ip - for example: 1.2.3.4), confirmed this instance can reach to anywhere;
Created AWS-Instance under AWS-Private-Subnet (with Security Group allowed for all traffic: 0.0.0.0/0)
4 - Created Customer Gateway, with configuration below:
0) Name: CGW-OnPremise
1) BGP ASN: 65000 (I got confused this part, since monthes ago, there's no this section, but with ONLY to choose static or dynamic, and I was able to set up the site to site vpn connection without any problem that time, NOT sure whether this means we are ONLY allowed to setup Dynamic Routing? since I think BGP here means Dynamic routing - BUT I wants to setup Static one - Since so far I'm NOT familiar with Dynamic routing)
2) IP addressInfo: the public-ip of OnPremise-Instance above
Above are the all configuration.
5 - Create VGW
0) Name: VGW-AWS
1) Autonomous System Number: Amazon default ASN
2) Attach it to VPC-AWS
Above are the all configuration
6 - Create Site-to-Site VPN Connections
0) Name: S2S-VPN-Connection
1) Target gateway type: Virtual private gateway -> VGW-AWS
2) Customer gateway: Existing -> CGW-OnPremise
3) Routing options: Static -> (10.100.0.0/16, 10.200.0.0/16)
Above are the all configurations for the configuration
7 - Go to the route table for AWS-Private-Subnet, Edit the Route Propogation to YES.
8 - Download the configuration from S2S-VPN-Connection(select OpenSwan), then Go to OnPremise-Instance, install OpenSwan, and configured properly, pasted one of the key part below:
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=54.189.187.140
right=52.41.212.35
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet=10.200.0.0/16
rightsubnet=10.100.0.0/16
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
9 - Then run: systemctl start ipsec And systemctl status ipsec, No errors, all look good.
10 - I think all set now, but I am NOT able to ping through the AWS-Instance(AWS side) from OnPremise-Instance(OnPremise side)
AWS OFFICIALUpdated 10 months ago
Thanks for the reply. I'm NOT ping the AWS-Instance from a On-Premise server Behind the Customer Gateway setting-up server, BUT ping the AWS instance from the Customer Gateway/Device server DIRECTLY. Do I have to disable the "source/destination checking" as well WHEN I'm ON the routing server(where the OpenSwan is setup) ? Anyway, I disabled the "source/destination checking" on the Customer Gateway/Device On-Premise server(Here's the OnPremise-Instance documented in my post steps above), it still does NOT work - The tunnel status is still Down.