AWS Site-to-Site VPN authentication failing for Customer Gateway behind NAT device
We are creating an AWS Site-to-Site VPN connection between a client's on-premise network and our AWS VPC. The client receives an authentication error when attempting to establish a connection (using a pre-shared key).
In order to debug this, we ran strongSwan on an EC2 instance to be able to inspect the logs and traffic. While doing this, we could see that they were attempting to connect from IP address 1 (e.g. 22.214.171.124) but using IP address 2 (e.g. 126.96.36.199) as an ID. When we setup strongSwan to authenticate against IP address 2 (e.g. 188.8.131.52), the connection was established successfully. We have since learned that IP address 1 (e.g. 184.108.40.206) is their NAT device, and IP address 2 (e.g. 220.127.116.11) is their customer gateway device.
To my question: how can I setup the AWS Site-to-Site VPN connection and customer gateway so that they can be authenticated successfully? If I create the customer gateway with IP address 1 (e.g. 18.104.22.168, NAT device) they can connect but can't authenticate. If I create the customer gateway with IP address 2 (e.g. 22.214.171.124, customer gateway device) they can't connect at all.
If you can specify the CGW make and model and exact error seen in the logs that would be helpful
If you have NAT device in front of the CGW then you must use the Public IP of the NAT device. It is documented here
Internet-routable IP address (static) of the customer gateway device's external interface - The public IP address value must be static. If your customer gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.
As for the PSK - are you using auto-generated PSK? you can replace it, instrcutions are here
To change the IKE pre-shared key
You can modify the tunnel options for the Site-to-Site VPN connection and specify a new IKE pre-shared key for each tunnel. For more information, see Modifying Site-to-Site VPN tunnel options
AWS VPN Client - how does it open a browser for SSO ?asked 4 months ago
AWS VPN Client with fixed EIP for interfacesasked a day ago
AWS VPN NAT alternativeasked 6 months ago
Addressable clients for Client VPNAccepted Answerasked 3 years ago
Advice on creating VPC for EC2 to use IPSec connectionasked 4 months ago
Conflict between AWS site-to-site VPN (to a VPC) and non-AWS client VPNasked 3 years ago
AWS Site-to-Site VPN authentication failing for Customer Gateway behind NAT deviceasked 14 days ago
Routing internet traffic via VPC from remote Site-to-Site VPN Networkasked 13 days ago
What Username do AWS VPN Client need when using password-encrypted private key certificate?asked 3 months ago
Middlebox routing - VPN clientsasked 3 months ago