VPN S2S With Public VIF Enabled
Why is the VPN tunnel consistently down when attempting to create a backup over the Internet connection for our Direct Connect, and why does the tunnel only become active when the Public VIF interface is shut down? Upon debugging the router, it appears that AWS is not responding to the VPN until the Public VIF is deactivated. Although I am using the VPN IP Address provided from the ISP. What could be causing this issue? "
- Newest
- Most votes
- Most comments
Hello ,
Hope is all good,
My Answer will Assume that the Internet Service Provider IP Address Range you are using for the VPN, you don't own it so you are not advertising them using the public VIF & you are using just the default route for the internet line .
The issue appears to be from the fact that the AWS Public VPN IP Range is being advertised from the Public VIF. Consequently, your Router (CPE) tends to prefer the Public VIF as an exit interface (if there is no specific route defined). the Source IP of the tunnel will be from the Range of the ISP Range. where AWS will, recognizing that this source is not in the Owned Range and, filters this traffic received from the public VIF, resulting in the VPN tunnel consistently remaining down when the Public VIF Is UP.
https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html#routing-policies
To address this challenge, I recommend implementing a specific route on your CPE towards your Internet Service Provider for the AWS Public VPN IP address. This will allow your CPE to explicitly route traffic destined for the AWS Public VPN IP Range through your Internet connection.
Please reply back if my assumption is wrong and provide the VPN logs you captured
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
