Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Site-to-Site VPN up, but no traffic between AWS VPC and provider network

0

Hi everyone,

I’ve set up a Site-to-Site VPN between my AWS VPC and a provider’s network, but traffic doesn’t seem to flow in either direction even though the VPN status is UP.

Setup details:

  • AWS VPC CIDR: 172.31.0.0/16
  • Provider’s interesting traffic: 10.104.168.0/21 - I got this from them
  • Interesting traffic for my side: 10.253.187.85/32 - I also got this from them and they insist on using it
  • Customer Gateway: created with provider’s static public IP
  • Virtual Private Gateway: attached to my VPC
  • VPN Connection: static routing, both tunnels show UP

AWS Route Table (for EC2 subnet):

Destination        Target
172.31.0.0/16      local
10.104.168.0/21    vgw-mygateway
0.0.0.0/0          igw-internetgateway

Security:

  • Security groups and NACLs allow inbound/outbound for 10.104.168.0/21.
  • EC2 instances are in public subnets with public IPs.

Issue: VPN tunnels are up, but there’s no connectivity (ping or TCP).

Question: Should this setup work as-is, without a NAT Gateway or NAT instance? Or is there an additional routing or translation step required for return traffic to reach my EC2 instances?

Any advice or example setups would be appreciated.

Topics
Networking & Content Delivery
Tags
VPC Virtual Private GatewayAWS Virtual Private Network (VPN)Amazon VPC
Language
English
asked a month ago64 views
3 Answers
0

Based on your description, there are several potential issues that could be preventing traffic flow despite your VPN tunnels showing as UP.

First, let's address the interesting traffic configuration. The provider has specified 10.104.168.0/21 as their network, but they've given you a very specific single IP address (10.253.187.85/32) as your "interesting traffic." This is unusual for a Site-to-Site VPN, which typically uses entire subnets rather than individual IPs. This configuration might be causing routing issues.

Here are the most likely causes of your connectivity problem:

  1. Route Table Configuration: While your AWS route table looks correct for sending traffic to the provider's network, there might be an issue with how return traffic is being routed on the provider's side. They need to have a route for your VPC CIDR (172.31.0.0/16) pointing to their VPN endpoint.

  2. Traffic Routing Issues: The provider may be expecting traffic from the specific IP they provided (10.253.187.85) rather than your actual VPC CIDR. This would cause asymmetric routing problems.

  3. Firewall/Security Configuration: Even though your security groups and NACLs are configured correctly, there might be firewall rules on the provider's side blocking the traffic.

  4. VPN Configuration Mismatch: There could be mismatches in the VPN configuration parameters between AWS and the provider, such as encryption settings, authentication methods, or lifetime values.

  5. Policy-Based VPN Issues: If the provider is using a policy-based VPN and you're using a route-based VPN, this could cause connectivity problems. Policy-based VPNs require matching local and remote network configurations.

To troubleshoot:

  • Confirm with the provider how they expect traffic to flow. The single IP address they provided might indicate they're expecting you to use NAT or a specific configuration.
  • Verify that the provider has properly configured routes for your VPC CIDR.
  • Check if there are any packet loss issues over the connection.
  • Consider downloading the AWS VPN configuration file for your specific customer gateway device type and sharing relevant parts with your provider to ensure configurations match.

You don't necessarily need a NAT Gateway for a Site-to-Site VPN to work, but given the unusual configuration with a single IP address, it's possible the provider expects you to NAT your traffic to appear as if it's coming from that specific IP address.
Sources
Troublehsoot connectivity between SIte-to-Site VPN and VPC | AWS re:Post
Troubleshoot VPN routing issues | AWS re:Post
ec2 instance not routing through virtual private gateway | AWS re:Post
site to site vpn connection to on premise network - pfsense firewall - cannot communicate beyond firewall subnet/vlan | AWS re:Post
Impossible to ping from AWS to On-Premise Server with site-to-site AWS vpn | AWS re:Post

answered a month ago
0

Hello.

Why not try enabling VPC flow logs on the EC2 instance that receives the ping?
If the result shows that the ping reaches the EC2 instance and you can identify the source IP address, you may be able to review your routing settings, etc.
https://docs.aws.amazon.com/vpc/latest/userguide/working-with-flow-logs.html

EXPERT
answered a month ago
0

NAT instance is not required.

As per rePost Agent suggestion, this could be a routing configuration on the provider network.

Can you do a traceroute (tracert for Windows) from your provider network to your EC2 instance?

AWS
EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content