Ping Fail for scenario that EC2 Server2 ping VPN Interface IP in EC2 Server1

0

I met a problem and need suggestions on what needs to be configure. Scenario:

  1. I have 2 EC2 instances in the same subnet(172.31.0.0/20)
  2. Server1: IP in interface eth0 is: 172.31.0.120. Also I have installed an OpenVPN Server in server1, which manage an VPN network(10.8.0.0/24), and creates an interface "tun0" with IP address 10.8.0.1 in server1.
  3. Server2: IP in interface enX0 is: 172.31.0.126.
  4. I have configured the route in Server2 to route traffic from Server2 to 10.8.0.0/24 to 172.31.0.120 (server1): sudo ip route add 10.8.0.0/24 via 172.31.0.120 5)I have configured the security group's inbound rule in both server1 and server2 to enable ICMP traffic for 172.31.0.0/20 and 10.8.0.0/24
  5. I have configured the routes in the route table of the VPC: Destination 10.8.0.0/24, target Server1(Server1's NIC interface)

But I still met the following problem: From server2, ping 172.31.0.120, the ping is ok. From server2, ping 10.8.0.1, the Ping fail. I tried to use tcpdump in Server1 to capture ICMP packages, but got nothing.

Is there any configuration I need to perform to allow server2 to ping 10.8.0.1 in Server1?

asked 12 days ago38 views
1 Answer
1
Accepted Answer

Hello.

Is "Source/destination check" of Server1's ENI disabled?
I think that if I didn't disable this, even if the communication reached Server1, it wouldn't be routed to "10.8.0.0/24".
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

Source/destination checking
You can enable or disable source/destination checks, which ensure that the instance is either the source or the destination of any traffic that it receives. Source/destination checks are enabled by default. You must disable source/destination checks if the instance runs services such as network address translation, routing, or firewalls.

profile picture
EXPERT
answered 12 days ago
profile picture
EXPERT
reviewed a day ago
profile picture
EXPERT
reviewed 12 days ago
  • It works after I disable the source/destination check. Thanks a lot.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions