By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Mikrotik IPSec - ping not responding

0

I've an S2S IPSEC VPN connection between our Mikrotik router and AWS. The connection state is available/established both site.

On the Mikrotik, I configured the IPSec tunnel step by step by AWS described. (Proposal, Peer, Firewall rules etc.)

On AWS side, I attached the virtual private gateway to the corresponding VPC and double check all firewall rules to allow all ICMP packets from all source and to all destionation (inbound, outbound). Route propagation is set up too. My Office subnet appeared in VPC route table.

I tried to ping my AWS instance from Mikrotik router but no response. ICMP packet is arrived to the AWS instance (info by tcpdump on the instance), but some problem in backwards. No response on AWS instance to my office LAN with traceroute command. (traceroute -I 10.x.x.x) The ping not work from AWS to Mikrotik too.

I tried delete all S2S tunnel and recreate it with BGP dynamic route and with static routes. AWS instance type is t2.micro, OS: Debian.

Can you help me?

Thx

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2AWS Virtual Private Network (VPN)
Language
English
jjani
asked 4 months ago226 views
2 Answers
2

Hello jjani,

I would recommend trying to troubleshoot using AWS Reachability Analyzer , it will gives your a full view and in there is any NACL is blocking this communication. Here is the Document Link:

Please let me know if this didn't show the Root cause. Thanks

AWS
Shmosa
answered 4 months ago
  • jjani
    4 months ago

    Hello Shmosa,

    Thx, but I don't know how to prioritizes route to 10.0.8.0/24 what overwrite the local route entry... Is it possible?

  • Shmosa
    4 months ago

    Hello JJani,

    you will not be able to prefer this route over the Local VPC route. There is some work around you can follow if changing the CIDR is not applicable (Changing the CIDR is the Recommended Option for both Operation Excellence and Cost optimization ) :

    1- NAT the VPN CIDR from your Microteck to a different range than the Local CIDR.

    2- Terminate the VGW on a different VPC "With Different CIDR" and use the Private NAT Gateway for a Source NAT, Then Connect these 2 VPC by VPC Peering. https://aws.amazon.com/blogs/networking-and-content-delivery/connecting-networks-with-overlapping-ip-ranges/

0

Hi Shmosa!

Thanks for your answer and advise! Reachability Analyzer is help me lot. I set up the RA the following parameters: Source: eni-0a0e4bcb10xxxxxxx (instance's interface ID) Destination: IP - 10.0.8.1 (my router's IP address)

Unfortunately the status is: Not reachable I attached 2 png. One is the answer from RA, and the other png is a route table of the instance.

I don't understand why does the package want to go 10.0.0.0/18 CIDR in route table? The 10.0.8.0/24 route entry is the exact path (best match in route table)!

Enter image description here

Enter image description here

BR, jjani

jjani
answered 4 months ago
  • Shmosa
    4 months ago

    Thanks jjani , If propagated routes from a Site-to-Site VPN connection or AWS Direct Connect connection overlap with the local route for your VPC, the local route is most preferred even if the propagated routes are more specific. it will be good if you can accept my answer if nothing else needed https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html#vpn-route-priority

  • iBehr EXPERT
    4 months ago

    I think you could add a static route to 10.0.8.0/24 that would then override the local route.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content