Cisco Meraki S2S Connection not working

Question

Following this guide, which may be a bit outdated: https://ritcsec.wordpress.com/2018/08/12/a-visual-guide-to-setting-up-a-meraki-to-aws-site-to-site-vpn/

Followed all the steps contained within. Have no problem getting our Azure S2S tunnel up and running with S2S using Meraki, so I don't think theres any problem with the Meraki side

Not sure if this is the issue

"AWS hosted VPN solution is a route-based solution, since Cisco Meraki only supports policy-based solution you will need to limit to a single SA. So please make sure to
! select "yes" for just one subnet, if you have more than one subnet, consolidate them into a single subnet before proceeding with the VPN configuration."

Our our Meraki side we have the

1. any connect subnet, 
2. a default traffic subnet (when someone connects to the our Any Connect VPN, they are given an IP here). 
3. A subnet thats not in use at all but is in VPN mode.

Any idea what I am missing here. I can't find any clues in the Meraki Event logs, and there are no logs going to Amazon CloudWatch even though I am enabled it and made a log group for VPN logs to travel to.

Answer

Have you checked this Knowledge center article: https://repost.aws/knowledge-center/vpn-connection-instability

Basically if you cant summarize your subnets into one, then use 0.0.0.0/0 as the subnet for encryption domain/interesting traffic. This is an issue only for Policy based VPN, if you use route based Static/BGP you can use multiple subnets (SAs)

**Short description**

When you use a policy-based VPN connection to connect to an AWS VPN endpoint, AWS limits the number of security associations to a single pair. The single pair includes one inbound and one outbound security association.

Policy-based VPNs with more than one pair of security associations will drop existing connections when new connections with different security associations initiate. This behavior indicates that a new VPN connection has interrupted an existing one.

**Resolution**

Limit the number of encryption domains (networks) with access to your VPC. If you have more than one encryption domain behind your VPN's customer gateway, then configure them to use a single security association. To check if multiple security associations exist for your customer gateway, see the Troubleshooting your customer gateway device.
**Configure your customer gateway to allow any network behind the customer gateway (0.0.0.0/0) with a destination of your VPC Classless Inter-Domain Routing (CIDR) to pass through the VPN tunnel. This configuration uses a single security association, which improves tunnel stability. This configuration also allows networks that aren't defined in the policy to access the VPC.**

If possible, implement a traffic filter on your customer gateway to block unwanted traffic to your VPC. Configure security groups to specify what traffic can reach your instances. Also configure network access control lists (network ACLs) to block unwanted traffic to subnets.

Answer

Hi,

I got the VPN working,

The problem was to open the tunnel you need to initiate a ping request (it really isn't mentioned in the newer documention for IKEV2). The tunnel is now open.

However, I cannot ping my EC2 or RDP into it. I created inbound security rules that should allow me to ping and RDP from the static ip of my on prem VPN; however, it doesn't work. It is odd because the S2S tunnel is on the same subnet as the EC2. So, there should not be any issue as far as I can see. I could understand if the EC2 was on another VPC.

Cisco Meraki S2S Connection not working

Relevant content