By using AWS re:Post, you agree to the Terms of Use
/AWS Site-to-Site VPN ping working, TCP not/

AWS Site-to-Site VPN ping working, TCP not


I want to establish a site-to-site IPsec VPN connection between an AWS EKS-Kubernetes-Cluster and a server from a different provider using AWS Site-to-Site VPN. Pings get through the VPN, but TCP traffic does not.

The server on the other end runs Ubuntu 20.04 and uses libreswan. The configuration file from AWS for the VPN for openswan has been altered in two ways (that I think should not matter):

  • auth=esp has been commented out as libreswan would not start otherwise (libreswan 3.29)
  • The VPN has been configured to use VTI.

When sending a HTTP request from the AWS site: tcpdump on the libreswan-site shows SYN arriving and SYN-ACK being sent back while tcpdump on the EC2-instance (and in a pod as well) only registers SYN.

All incoming traffic has been allowed in security groups and ACLs etc.

I have set up SNAT as recommended here and have confirmed that SNAT works using traceroute. I think because of SNAT it should not matter anymore that EKS is used in this VPC for this issue.

1 Answers

My guess here is that the non-AWS side of the VPN is doing some sort of NAT. That's a really vague answer but if you're getting one-way communications or odd combinations of things working that's usually the case.

As per your answer: You're using SNAT and (again - a guess) I suspect that is the culprit here.

answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions