Questions tagged with AWS Virtual Private Network (VPN)
Content language: English
Sort by most recent
AWS site to site VPN routing issue
We have a site to site VPN setup between AWS and our Checkpoint firewalls with dynamic BGP routing. On the checkpoint side I see traffic going over the VPN tunnel to AWS, but I do not see any return traffic. I am trying to ping an AWS linux EC2 instance. To complicate matters, due to company policy, I can not create a public interface on the EC2 instance, so I cannot ssh into the EC2 instance to do a tcpdump to see if the icmp packets are being received. Any advice on troubleshooting this?
Hello Experts, Please see attached diagram. As quoted by AWS DOC "When we perform updates on one VPN tunnel, we set a lower outbound multi-exit discriminator (MED) value on the other tunnel. If you have configured your customer gateway device to use both tunnels, your VPN connection uses the other (up) tunnel during the tunnel endpoint update process." is this not going to cause asymmetric routing again if MED value changed ? Note: Customer end going to be Cisco ASA Thanks ![Enter image description here](https://repost.aws/media/postImages/original/IM74Y-GBwARmi__Q95Km445A)
Why VPC with a "public subnet only and AWS Site-to-Site VPN access" cannot be configured?
Why VPC with a "public subnet only and AWS Site-to-Site VPN access" cannot be configured? As per Doc (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-scenarios-intro.html) there are only four types except for only public sub and VPN.
AWS VPN Client on Linux Ubuntu not working
We have a VPN setup and everything works fine for other person. But I have a Linux with Ubuntu, and client can connect, but I cannot acceess services. telnet told me DNS cannot be resolved. Using curl to hit services with their internal ip (10.0.0.150) doesn't work. I followed the troubleshooting for Linux but didn't help. Logs told me push message has been received from server (DNS 10.0.0.2, routes etc....) The 2nd weird part is that we enabled split tunnel, and it should not pass through VPC. However it is
Problem Setting up EC2 as Airgap Server with Client VPN Endpoint
Afternoon All, I'm a (very) inexperienced user who's keen to learn and appreciate I might have bitten off far more than I can chew with this. I'm working on a project where we need to share UDP packets between two companies with the packets going in both directions. I want to setup an airgap server where exchange of data could take place. I have an EC2 server with an external IP address (that I SSH into) as the airgap machine and a VPN client endpoint linked to the subnet the EC2 instance is in. My intent was to send UDPs from my company system to the airgap on a particular port say 3005, for example and then listen on a different port, say 4005, for example, on the same EC2 instance for UDP packets from the other company. And use socat to send packets from 4005 to the client IP on my Windows machine (currently set in the Endpoint to 220.127.116.11/16 (yes I know the subnet is probably far too big for this)). I have successfully created the VPN client endpoint, downloaded the configuration file and can connect in from my Windows10 laptop using OpenVPN client. I can send packets from my Windows10 machine to the Airgap EC2 instance and see that it arrives on port 3005 as expected using tcpdump. I can also ping from the Windows machine to the Airgap server... so the connection is working in one direction. The issue I have is that the connection does not work sending packets from the Airgap EC2 instance to my machine via the VPN... If I run socat with various options of udp-recvfrom or udp-listen and udp-sendto or udp-datagram I get no packets arriving at my Windows machine. Neither can I ping the Windows machine from the EC2 Airgap instance (I have tried this with Windows Firewall turned off to test whether the FW was getting in the way) My questions then: 1. Is it possible to do what I want? 2. WHat am I doing wrong and how can I fix? 3. Is my assumption about an EC2 instance being a good way of setting up an airgap server like this correct? Many Thanks G
Client VPN Endpoint Authorization rules do not work as I intend to
I set Client VPN Endpoint ragarding this article. (https://aws.amazon.com/ko/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/) With just simple example of authorization rules, it does work well. But I added some rules more, it does not. Here is my examples. AWSSSO Group: - Group1 : can access all ip ranges in VPC (10.1.0.0/16) - Group2 : can access only Private Subnet 2 (10.1.255.192/27) VPC settings: - VPC: 10.1.0.0/16 - Private Subnet 1: 10.1.0.0/18 - Private Subnet 2: 10.1.255.192/27 - ... Authorization rules: 1. Destination network to enable access: 10.1.0.0/16, Grant access to: Allow access to users in a specific group, Access group ID: Group1 ID 2. Destination network to enable access: 10.1.255.192/27, Grant access to: Allow access to users in a specific group, Access group ID: Group2 ID With this configurations, Group2 can access to 10.1.255.192/27 well but Group1 can not access to 10.1.255.192/27(included in range of 10.1.0.0/16). I don't know why Group1 can not access to 10.1.255.192/27. Please tell me who knows why it happens.
AWS Fortigate S2S directionality issue...
I have an AWS to on-premise Fortigate site-to-site tunnel (static routing) configured and up. I could only pass traffic in the AWS-to-Fortigate direction after sending traffic in the Fortigate-to-AWS direction. Why is this? Is there a tunnel activity timeout involved?
How to fully uninstall aws client VPN
So I'm trying to use AWS VPN Client on my macOS Monterey version 12.4 Macbook Pro 16 inch 2019 When downloading a .ovpn from "Client VPN endpoints" I cannot seem to connect to the VPN. When I try to connect, I keep getting this from the client "Aws VPN Client is trying to install a new helper tool." in which it asks me for my credentials which I give it. Then immediately afterwards I get "AWS VPN Client Helper Tool is required to establish the connection." I've reinstalled the software about 8 times. Anytime I try to use the "Uninstall AWS VPN Client" I get "Uninstalled failed" with no additional information. So I manually delete the files, I run this command to do additional cleanup ``` sudo /bin/launchctl remove /Library/LaunchDaemons/com.amazonaws.acvc.helper.plist sudo rm /Library/LaunchDaemons/com.amazonaws.acvc.helper.plist sudo rm /Library/PrivilegedHelperTools/com.amazonaws.acvc.helper ``` I feel like im missing something obvious. It was working fine on my computer until recently. I've confirmed on another computer that the certs work fine. So if there is additional cleanup I can do, let me know. So I was wondering if this is a known issue or just me? I looked around and couldn't find any information in the FAQ or troubleshooting of it.
SFTP error from AWD VPC tunnel
We setup one site-to-site tunnel to a 3rd party vendor using our own fortigate firewall. The tunnel is up and running and we setup one Windows SFTP server in our network for the vendor to do file transfer. All credentials are shared to them but when they tried to send file to the server, they encountered "File Write error" ERROR Message: Error writing file 3: Permission denied. Firewall policies at both ends have already enabled all services to pass through. What could be the reasons why they cannot write to the SFTP server ?
AWS Site-to-Site VPN tunnel is available, put cant ping to ec2 instance
I spin up an EC2 instance in a public subnet on a /24. created a security group allowing SSH and ICMP from 0.0.0.0/0. Site-to-SIte VPN tunnel is up and running and using strongswan. However ping to the 169 address (inside tunnel) and to the ec2 instance does not work
Site-to-Site VPN with dynamic WAN address (LTE, Starlink, etc)
Heyo! I'm trying to create a Site-to-Site VPN between two sites without static WAN addresses. My backup plan is just to create the VPN server on an ec2 instance with a static external IP. The Client VPN Endpoints seem like a possibility but I don't think those will work since I have multiple networks I need to connect at each site and can't NAT through the endpoint. I'm looking at the documentation for Customer Gateways and seeing that specifying the external IP address is optional, so I'm hoping it may connect as a client if I don't specify that? If so I'm having some issues with the certificates that I'll need help with, but I should probably make a dedicated post for that. Is there another method for what I'm trying to do, or should I just spin up the EC2 instance and install my VPN server of choice and do this that way? Thanks so much for any help!