Network connectivity from local vlan to vpc.

0

I have a aws vpc with a 10.1.12.0/26 subnet. I have created a Internet Gateway, Virtual Private Gateway and Customer Gateway. I have setup s2s vpn with on premisis pfsense. Both tunnels are up and running. I have 2 ec2 servers. I have setup routes for my aws network of 10.1.12.0/26 with the target local. I have setup a route for my pfsense vlan 10.1.10.0/26 target virtual private gateway. I have setup security groups that allow all traffic inbound/outbound.

I am unable to ping aws from my pfsense vlan. Ive have run the packet capture on pfsense. All I see is ICMP echo requ

1 Answer
2
Accepted Answer

I suggest you check the following:

  • Make sure you're using route-based VPN and not policy-based VPN, if you're using policy-based VPN then make sure you're only defining one CIDR on the pfsense as the proxy ID, defining two CIDRs will cause multiple security associations and that would cause connectivity issue. Refer to [1].

  • If you're using static VPN, make sure you enable asymmetric routing on the pfsense, if you don't want to enable the asymmetric routing on the pfsense, then disable one of the tunnels and have only one tunnel up and test the connectivity. This is to roll out the asymmetric routing issue. Refer to [2].

  • Make sure the traffic is being allowed in the NACL.

  • If the above does not resolve the issue, I suggest enabling VPC flow logs and see if the traffic is being received by the EC2 from on-prem. Refer to [3].

  • Make sure you have a proper static route on the AWS VPN side for your on-prem network 10.1.10.0/26. Refer to [4].

References:

  1. https://repost.aws/knowledge-center/vpn-connection-instability
  2. https://repost.aws/knowledge-center/vpn-configure-tunnel-preference
  3. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
  4. https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-edit-static-routes.html
profile pictureAWS
Matt_E
answered 10 months ago
  • Thank You, I figured it out. I forgot to add a rule to the pfsense wan interface to allow access to the my aws subnet.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions