Site to Site VPN setup - Tunnel Status is Down

1

Hi There: I'm NOT able set up the Site to Site VPN, the Tunnel status is Always down. Any kind suggestion on this? Below is the steps what I have done to simulate On-Premise to AWS. Thanks.

I guess the Step4 might be the key reason? I'm trying to setup Static Routing, but looks like we are ONLY allowed to create dynamic one? since the BGP ASN is required to be set? Months ago, the Custom Gateway front page is NOT like that, no BGP ASN required, but with selection: Static or Dynamic.

Attention here: I'm trying to use Static Routing, NOT Dynamic.

1 - Created Two VPCs in one region naming VPC-AWS(10.100.0.0/16) and VPC-OnPremise(10.200.0.0/16)

2 - Created OnPremise-Public-Subnet(10.200.1.0/24, and auto assign public ip), Attached the subnet to Newly created Route(OnPremise-Public-Route), which added entry to IGW;

  Created AWS-Private-Subnet(10.100.1.0/24)

3 - Created Two Instances: OnPremise-Instance under OnPremise-Public-Subnet(automatically generated public ip - for example: 1.2.3.4), confirmed this instance can reach to anywhere;

  Created AWS-Instance under AWS-Private-Subnet (with Security Group allowed for all traffic: 0.0.0.0/0)

4 - Created Customer Gateway, with configuration below:

  0) Name: CGW-OnPremise

  1) BGP ASN: 65000 (I got confused this part, since monthes ago, there's no this section, but with ONLY to choose static or dynamic, and I was able to set up the site to site vpn connection without any problem that time, NOT sure  whether this means we are ONLY allowed to setup Dynamic Routing? since I think BGP here means Dynamic routing - BUT I wants to setup Static one - Since so far I'm NOT familiar with Dynamic routing)

  2) IP addressInfo: the public-ip of OnPremise-Instance above
  Above are the all configuration.

5 - Create VGW

   0) Name: VGW-AWS

   1) Autonomous System Number: Amazon default ASN

   2) Attach it to VPC-AWS

   Above are the all configuration

6 - Create Site-to-Site VPN Connections

   0) Name: S2S-VPN-Connection

   1) Target gateway type: Virtual private gateway -> VGW-AWS

   2) Customer gateway: Existing -> CGW-OnPremise

   3) Routing options: Static -> (10.100.0.0/16, 10.200.0.0/16)

   Above are the all configurations for the configuration

7 - Go to the route table for AWS-Private-Subnet, Edit the Route Propogation to YES.

8 - Download the configuration from S2S-VPN-Connection(select OpenSwan), then Go to OnPremise-Instance, install OpenSwan, and configured properly, pasted one of the key part below:

conn Tunnel1

authby=secret

auto=start

left=%defaultroute

leftid=54.189.187.140

right=52.41.212.35

type=tunnel

ikelifetime=8h

keylife=1h

phase2alg=aes128-sha1;modp1024

ike=aes128-sha1;modp1024

keyingtries=%forever

keyexchange=ike

leftsubnet=10.200.0.0/16

rightsubnet=10.100.0.0/16

dpddelay=10

dpdtimeout=30

dpdaction=restart_by_peer

9 - Then run: systemctl start ipsec And systemctl status ipsec, No errors, all look good.

10 - I think all set now, but I am NOT able to ping through the AWS-Instance(AWS side) from OnPremise-Instance(OnPremise side)

asked 2 years ago2659 views
2 Answers
1

Have you disabled "source/destination checking" in the EC2 instance that is going to act as on-premises router? You can check this Networking lab - https://catalog.workshops.aws/networking/en-US/beginner/lab2/020-vpn - to see how you can create a S2S VPN with a simulated on-premises environment in AWS.

AWS
Pablo_S
answered 2 years ago
  • Thanks for the reply. I'm NOT ping the AWS-Instance from a On-Premise server Behind the Customer Gateway setting-up server, BUT ping the AWS instance from the Customer Gateway/Device server DIRECTLY. Do I have to disable the "source/destination checking" as well WHEN I'm ON the routing server(where the OpenSwan is setup) ? Anyway, I disabled the "source/destination checking" on the Customer Gateway/Device On-Premise server(Here's the OnPremise-Instance documented in my post steps above), it still does NOT work - The tunnel status is still Down.

1

Hi, sometimes some router doesn't accept special character in pre-shared keys, you can check on that part, during vpn connection creation you can manually use normal strings and numbers for keys. Also, we have faced similar issue , while deleting and creating the setup it worked. Ping will work once the tunnel is up, make sure icmp is allowed in instance sg and if not 0.0.0.0/0 allowed(not recommended) then that should be allowed for on-prem ip/cidr.

sourav
answered 2 years ago
  • Thanks for your comments. I re-examined both places you identified, do NOT see they have problem, I also re-copied the pre-shared keys, tunnel remains down...

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions