Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Site to Site VPN working with Windows but not Linux EC2

0

I have established Site to Site with a default VPC in AWS. The customer device is using Fortinent Fortigate.

I have been able to successfully access the resources at the customer end from a windows machine, but have no such luck with the Linux machines (tried Ubuntu 22, Amazon Linux). The resource in the customer VPN is a SQL Server. I am using both ping and telnet. From windows machine I have also been able to access the SQL server using SQL Server Studio.

Already Tried

I have already gone through the following:

  • Played with Ubuntu routing, tried to add a route for 10.21.x.x to ip tables to forward traffic to VPG (did not work as it would not accept the IP i gave it to the gateway). I found that IP from the tracert from windows
  • Ubuntu firewall is not being used
  • Changed MTU setting to make MTU smaller than the max MTU allowed by AWS site to site VPN
  • sudo sysctl -w net.ipv4.ip_forward=1 (it was set to 0)
  • Checked the security groups, added ICMP4 Inboud rules

Any idea what could be going on here or other things I can try to debug?

Topics
ComputeNetworking & Content Delivery
Tags
AWS Virtual Private Network (VPN)Amazon VPCAmazon EC2Networking & Content Delivery
Language
English
asked a year ago112 views
1 Answer
0

The issue you're experiencing with Linux EC2 instances not being able to communicate through the Site-to-Site VPN while Windows instances can is intriguing. There are several potential causes and troubleshooting steps to consider:

  1. Routing: Ensure that the route tables associated with the subnets where your Linux instances are located have the correct routes for the customer's network. The route should point to the virtual private gateway (VGW) or transit gateway (TGW) used for the VPN connection.

  2. Security Groups: While you've added ICMP inbound rules, make sure that the security groups for your Linux instances also allow outbound traffic to the customer's network range.

  3. Network ACLs: Check if there are any Network ACLs applied to the subnets of your Linux instances that might be blocking the traffic.

  4. VPN Configuration: Verify that the VPN connection is configured to allow traffic from all instance types. Sometimes, there might be filters on the customer's end that only allow certain IP ranges or protocols.

  5. MTU Issues: Although you've adjusted the MTU, it's worth double-checking. Try setting the MTU on your Linux instances to 1400 or even lower (like 1300) to see if it makes a difference.

  6. TCP MSS Clamping: Enable TCP MSS Clamping on your Linux instances. You can do this by running: sudo iptables -t mangle -A POSTROUTING -p tcp -o eth0 -j TCPMSS --set-mss 1360

  7. Packet Capture: Run a packet capture on both Windows and Linux instances to compare the traffic. This might reveal differences in how the packets are being sent or received.

  8. Customer Gateway Configuration: Work with the customer to ensure their Fortinet Fortigate device is configured correctly to allow traffic from your Linux instances. There might be specific firewall rules or policies on their end that are causing this issue.

  9. BGP Configuration: If you're using dynamic routing (BGP), ensure that the routes are being properly advertised and received on both ends of the VPN connection.

  10. AWS Support: If none of the above steps resolve the issue, consider opening a support ticket with AWS. They can provide more in-depth troubleshooting and potentially identify any service-related issues.

Remember to test after each change, and always coordinate with the customer when making changes that might affect their network or security posture. Troubleshooting VPN issues can be complex, so a systematic approach and patience are key.
Sources
How AWS Site-to-Site VPN works - AWS Site-to-Site VPN
Configure an AWS site-to-site VPN | AWS re:Post
Test an AWS Site-to-Site VPN connection - AWS Site-to-Site VPN
What is AWS Site-to-Site VPN? - AWS Site-to-Site VPN

answered a year ago
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content