Site to Site VPN with Private and Public - Mikrotik


I've set up the tunnels exactly as per the instructions (although their instructions for the Mikrotik are out of date).

Both tunnels are up. I can ping the other side of each tunnel's interior 169 IP Address.

I spin up an EC2 instance in a private network on a /24. Lets use I create a security group allowing SSH and ICMP from It does not have a public ip.

I make sure my side (Mikrotik) has the route to that via the other end tunnel ip address. So from my Mikrotik router I should be able to ping from my exterior ip address. It does not ping.

I don't have NAT on that IP address at the Mikrotik so no firewall rules necessary. However just to rule that out I set up a rule to accept input from ipsec/ike from the other side.

Static routes on the Site to Site on the AWS side for the Virtual Private Gateway are all the subnets on the Mikrotik side that would be contacting it.

It just seems that from the interior AWS 169.x.x.x ip address to the EC2 instance can't communicate or will not route back through the tunnel.

Desperate for help on this one. I know I've followed all of the instructions to the letter and have tried multiple approaches without luck.

asked 3 years ago952 views
1 Answer

Figured it out on my end.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions