- Newest
- Most votes
- Most comments
Hi,
I got the VPN working,
The problem was to open the tunnel you need to initiate a ping request (it really isn't mentioned in the newer documention for IKEV2). The tunnel is now open.
However, I cannot ping my EC2 or RDP into it. I created inbound security rules that should allow me to ping and RDP from the static ip of my on prem VPN; however, it doesn't work. It is odd because the S2S tunnel is on the same subnet as the EC2. So, there should not be any issue as far as I can see. I could understand if the EC2 was on another VPC.
Have you checked this Knowledge center article: https://repost.aws/knowledge-center/vpn-connection-instability
Basically if you cant summarize your subnets into one, then use 0.0.0.0/0 as the subnet for encryption domain/interesting traffic. This is an issue only for Policy based VPN, if you use route based Static/BGP you can use multiple subnets (SAs)
Short description
When you use a policy-based VPN connection to connect to an AWS VPN endpoint, AWS limits the number of security associations to a single pair. The single pair includes one inbound and one outbound security association.
Policy-based VPNs with more than one pair of security associations will drop existing connections when new connections with different security associations initiate. This behavior indicates that a new VPN connection has interrupted an existing one.
Resolution
Limit the number of encryption domains (networks) with access to your VPC. If you have more than one encryption domain behind your VPN's customer gateway, then configure them to use a single security association. To check if multiple security associations exist for your customer gateway, see the Troubleshooting your customer gateway device. Configure your customer gateway to allow any network behind the customer gateway (0.0.0.0/0) with a destination of your VPC Classless Inter-Domain Routing (CIDR) to pass through the VPN tunnel. This configuration uses a single security association, which improves tunnel stability. This configuration also allows networks that aren't defined in the policy to access the VPC.
If possible, implement a traffic filter on your customer gateway to block unwanted traffic to your VPC. Configure security groups to specify what traffic can reach your instances. Also configure network access control lists (network ACLs) to block unwanted traffic to subnets.
Relevant content
- asked 2 months ago
- asked a year ago
- Accepted Answerasked 24 days ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Does the VPC Subnet in which the EC2 resides have a route pointing for the on-premises subnet towards the VGW/TGW? If the SG/NACL is correct routing is usually the issue.