Questions tagged with AWS Virtual Private Network (VPN)

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Problem Setting up EC2 as Airgap Server with Client VPN Endpoint

Afternoon All, I'm a (very) inexperienced user who's keen to learn and appreciate I might have bitten off far more than I can chew with this. I'm working on a project where we need to share UDP packets between two companies with the packets going in both directions. I want to setup an airgap server where exchange of data could take place. I have an EC2 server with an external IP address (that I SSH into) as the airgap machine and a VPN client endpoint linked to the subnet the EC2 instance is in. My intent was to send UDPs from my company system to the airgap on a particular port say 3005, for example and then listen on a different port, say 4005, for example, on the same EC2 instance for UDP packets from the other company. And use socat to send packets from 4005 to the client IP on my Windows machine (currently set in the Endpoint to 16.10.0.0/16 (yes I know the subnet is probably far too big for this)). I have successfully created the VPN client endpoint, downloaded the configuration file and can connect in from my Windows10 laptop using OpenVPN client. I can send packets from my Windows10 machine to the Airgap EC2 instance and see that it arrives on port 3005 as expected using tcpdump. I can also ping from the Windows machine to the Airgap server... so the connection is working in one direction. The issue I have is that the connection does not work sending packets from the Airgap EC2 instance to my machine via the VPN... If I run socat with various options of udp-recvfrom or udp-listen and udp-sendto or udp-datagram I get no packets arriving at my Windows machine. Neither can I ping the Windows machine from the EC2 Airgap instance (I have tried this with Windows Firewall turned off to test whether the FW was getting in the way) My questions then: 1. Is it possible to do what I want? 2. WHat am I doing wrong and how can I fix? 3. Is my assumption about an EC2 instance being a good way of setting up an airgap server like this correct? Many Thanks G
0
answers
0
votes
67
views
asked 4 months ago

Site to Site VPN setup - Tunnel Status is Down

Hi There: I'm NOT able set up the Site to Site VPN, the Tunnel status is Always down. Any kind suggestion on this? Below is the steps what I have done to simulate On-Premise to AWS. Thanks. **I guess the Step4 might be the key reason? I'm trying to setup Static Routing**, but looks like we are ONLY allowed to create dynamic one? since the BGP ASN is required to be set? Months ago, the Custom Gateway front page is NOT like that, no BGP ASN required, but with selection: Static or Dynamic. **Attention here**: I'm trying to use **Static** Routing, NOT Dynamic. 1 - Created Two VPCs in one region naming VPC-AWS(10.100.0.0/16) and VPC-OnPremise(10.200.0.0/16) 2 - Created OnPremise-Public-Subnet(10.200.1.0/24, and auto assign public ip), Attached the subnet to Newly created Route(OnPremise-Public-Route), which added entry to IGW; Created AWS-Private-Subnet(10.100.1.0/24) 3 - Created Two Instances: OnPremise-Instance under OnPremise-Public-Subnet(automatically generated public ip - for example: 1.2.3.4), confirmed this instance can reach to anywhere; Created AWS-Instance under AWS-Private-Subnet (with Security Group allowed for all traffic: 0.0.0.0/0) 4 - Created Customer Gateway, with configuration below: 0) Name: CGW-OnPremise 1) BGP ASN: 65000 (I got confused this part, since monthes ago, there's no this section, but with ONLY to choose static or dynamic, and I was able to set up the site to site vpn connection without any problem that time, NOT sure whether this means we are ONLY allowed to setup Dynamic Routing? since I think BGP here means Dynamic routing - BUT I wants to setup Static one - Since so far I'm NOT familiar with Dynamic routing) 2) IP addressInfo: the public-ip of OnPremise-Instance above Above are the all configuration. 5 - Create VGW 0) Name: VGW-AWS 1) Autonomous System Number: Amazon default ASN 2) Attach it to VPC-AWS Above are the all configuration 6 - Create Site-to-Site VPN Connections 0) Name: S2S-VPN-Connection 1) Target gateway type: Virtual private gateway -> VGW-AWS 2) Customer gateway: Existing -> CGW-OnPremise 3) Routing options: Static -> (10.100.0.0/16, 10.200.0.0/16) Above are the all configurations for the configuration 7 - Go to the route table for AWS-Private-Subnet, Edit the Route Propogation to YES. 8 - Download the configuration from S2S-VPN-Connection(select OpenSwan), then Go to OnPremise-Instance, install OpenSwan, and configured properly, pasted one of the key part below: conn Tunnel1 authby=secret auto=start left=%defaultroute leftid=54.189.187.140 right=52.41.212.35 type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 keyingtries=%forever keyexchange=ike leftsubnet=10.200.0.0/16 rightsubnet=10.100.0.0/16 dpddelay=10 dpdtimeout=30 dpdaction=restart_by_peer 9 - Then run: systemctl start ipsec And systemctl status ipsec, No errors, all look good. 10 - I think all set now, but I am NOT able to ping through the AWS-Instance(AWS side) from OnPremise-Instance(OnPremise side)
2
answers
0
votes
104
views
asked 5 months ago