- Newest
- Most votes
- Most comments
Hi,
an AWS site-to-site VPN tunnel is always route-based. You should configure the Cisco ASA end of the connection as route-based (https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214230-configure-policy-based-and-route-based-v.html). In AWS, you should set both the "Local IPv4 Network Cidr" and "Remote IPv4 Network Cidr" settings to 0.0.0.0/0.
The reason why only one VPC is reachable at a time is that one AWS site-to-site VPN connection only permits one security association in each direction to be active at one time. When you configure a policy-based tunnel on the ASA with several IP networks configured in the encryption domain, the ASA will establish a separate security association for each combination of IP networks (traffic selectors) communicating over the tunnel.
For example, if you have the CIDR blocks 10.12.0.0/16 and 10.45.0.0/16 configured for your VPCs, and the site-to-site VPN connects them to a a single on-premises CIDR block 10.240.0.0/16, then traffic from on premises to the first VPC will cause a security association to be established from 10.240.0.0/16 to 10.12.0.0/16. When traffic is attempted to the other VPC, the first pair of SAs will be torn down and new ones established between 10.240.0.0/16 and 10.45.0.0/16. That's the phenomenon you are seeing.
When you configure a route-based VPN on the ASA, it will only establish one security association in each direction, with 0.0.0.0/0 on both sides of the tunnel. Regardless of how many VPCs and on-premises networks you have, they will all be reachable without having to establish additional SAs.
Note that the cryptographic settings in the examples in Cisco's article are seriously weak. AWS site-to-site VPN supports the most secure settings recognised by the ASA.
Thanks for the response. So we torn down the static VPN and we are using BGP or Dynamic. When you setup a BGP tunnel, it keeps 2 tunnels active. What we are seeing now, is that traffic is going through one tunnel and coming back through the other which is resulting in sometimes not being able to ping some devices in some VPCs. Sometimes we can ping the device, sometimes we can't. Cisco seems to think that it's on AWS side with traffic trying to come back through the other tunnel. Have you seen this scenario?
Relevant content
- asked 2 months ago
- asked 5 years ago
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated a year ago
- How do I monitor my transit gateway and Site-to-Site VPN on a transit gateway using Network Manager?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago