AWS site to site VPN - configure multiple CIDR ranges

0

As part of the site to site VPN connection setup in AWS you have to configure which CIDR ranges are allowed to communicate over the VPN tunnel - is it possible to configure multiple CIDR ranges for the "local IPv4 network" parameter? We have multiple on-premise CIDR ranges that we would like to allow over the VPN tunnel.

  • This depends on whether you are using Policy based VPN or Route based VPN. Details in the answer. If your CGW supports Route based VPN it would be recommended to use route based (if possible BGP) VPNs.

whom
asked a year ago4002 views
1 Answer
1
Accepted Answer

Hello,

When you use a policy-based VPN connection to connect to an AWS VPN endpoint, AWS limits the number of security associations(SA) to a single pair. Policy-based VPNs with more than one pair of security associations drop existing connections when new connections are initiated with different security associations. This behavior might appear to indicate intermittent packet loss and other connectivity failures. [1]

To mitigate this issue the possible solution is, CGW can propose Local CIDR: 0.0.0.0/0 == Remote CIDR: 0.0.0.0/0 that covers all the IP addresses. If using 0.0.0.0/0 is not possible then you would need to summarize in such a way that it covers all your on-premises and AWS CIDRs.

Alternatively, you can configure Route based VPN, see below from AWS VPN FAQ which states the same: [2]

Q: How many IPsec security associations can be established concurrently per tunnel?

A: The AWS VPN service is a route-based solution, so when using a route-based configuration you will not run into SA limitations. If, however, you are using a policy-based solution you will need to limit to a single SA, as the service is a route-based solution.

Reference:

[1] How to avoid tunnel instability caused due to multiple SA's https://aws.amazon.com/premiumsupport/knowledge-center/vpn-connection-instability/

[2] AWS VPN FAQs

profile pictureAWS
EXPERT
answered a year ago
profile pictureAWS
EXPERT
reviewed a year ago
  • Thanks @Tushar_J for prompt response. If I understand it correctly then I believe as we're using policy-based VPN routing we are only limited to allow a single CIDR range over the VPN (from the CGW side) on the AWS side ( our firewall allows multiple CIDR ranges on the VPN settings).

    We are using two different subnets -> 172.16.x.x and 10.x.x.x - our only option here then is to allow all traffic (0.0.0.0/0) over the VPN tunnel - we were hoping to be able to allow only the required subnets to transmit traffic over the VPN.

  • You are right. Since you are using multiple RFC1918 spaces the only way you can summarize is by using 0.0.0.0/0 and further lock down access using security groups and NACLs. I know this can be difficult in which case the only other option is to try and implement route based VPN in which case you will be able to advertise multiple different IP spaces.

  • Thank you very much for your assistance

  • Note that traffic is only sent through the VPN when it is routed to VPN endpoints - both within AWS and from your existing network. If there are no routes (for the subnets that don't need to access the VPN) then the traffic isn't sent there. So using a policy which is 0.0.0.0/0 means "encrypt all traffic in the tunnel" rather than "encrypt all traffic".

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions