By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Site-to-Site VPN authentication failing for Customer Gateway behind NAT device

0

We are creating an AWS Site-to-Site VPN connection between a client's on-premise network and our AWS VPC. The client receives an authentication error when attempting to establish a connection (using a pre-shared key).

In order to debug this, we ran strongSwan on an EC2 instance to be able to inspect the logs and traffic. While doing this, we could see that they were attempting to connect from IP address 1 (e.g. 1.0.0.1) but using IP address 2 (e.g. 1.0.0.2) as an ID. When we setup strongSwan to authenticate against IP address 2 (e.g. 1.0.0.2), the connection was established successfully. We have since learned that IP address 1 (e.g. 1.0.0.1) is their NAT device, and IP address 2 (e.g. 1.0.0.2) is their customer gateway device.

To my question: how can I setup the AWS Site-to-Site VPN connection and customer gateway so that they can be authenticated successfully? If I create the customer gateway with IP address 1 (e.g. 1.0.0.1, NAT device) they can connect but can't authenticate. If I create the customer gateway with IP address 2 (e.g. 1.0.0.2, customer gateway device) they can't connect at all.

  • Tushar_J EXPERT
    3 years ago

    If you can specify the CGW make and model and exact error seen in the logs that would be helpful

Topics
Networking & Content Delivery
Tags
Networking & Content DeliveryAWS Virtual Private Network (VPN)
Language
English
rudi
asked 3 years ago811 views
1 Answer
1

Hello Rudi,

If you have NAT device in front of the CGW then you must use the Public IP of the NAT device. It is documented here

Internet-routable IP address (static) of the customer gateway device's external interface - The public IP address value must be static. If your customer gateway is behind a network address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.

As for the PSK - are you using auto-generated PSK? you can replace it, instrcutions are here

To change the IKE pre-shared key

You can modify the tunnel options for the Site-to-Site VPN connection and specify a new IKE pre-shared key for each tunnel. For more information, see Modifying Site-to-Site VPN tunnel options

profile pictureAWS
EXPERT
Tushar_J
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content