Joshua Dumas
asked on
Can't Connect to Anything Over Site-to-Site VPN
I have a site-to-site VPN with Amazon AWS. I see the tunnel is up, but I can't connect to anything on either side. Any idea where I should be looking on either side to ensure routes are configured correctly.
Thoughts?
Amazon Side:
Routes
Inbound Firewall Rules
Outbound Firewall Rules
LAN to VPN
VPN to LAN
Thoughts?
Amazon Side:
Routes
Inbound Firewall Rules
Outbound Firewall Rules
LAN to VPN
VPN to LAN
Do you have routes propagated? Seems you don't have a route to your other network, only local.
ASKER
I'm confused at what your question is and what your noticing.
In your very first screenshot, Routes ... There's only local Destination, there's no route to your other network, the one on the other side of the VPN
Are you using static routing? Probably, just making sure...
What about Route Propagation, you might need to propagate the routes so your AWS network can reach your gateway on the other end...
What about Route Propagation, you might need to propagate the routes so your AWS network can reach your gateway on the other end...
Yes, but for the other gateway (remote site or client site) propagation needs to be "Yes" in the previous screenshot it's still "No".
So in Route Propagation you should add it...
So in Route Propagation you should add it...
You should add the subnet (virtual private gateway) from your side/customer side to the Route Propagation, the 192.168.99.0/24 network specifically.
Can you show me the Route Tables ...
Can you show me the Route Tables ...
ASKER
ASKER
In principle all traffic should go out the gateway, do it should find the way, you could easily test this with a trace route.
But you'll need a machine on both sides.
From your side, do a trace route (for Windows it's tracert) to a machine on the AWS side, from the AWS side do a trace route to a machine on your network and check where it fails.
But you'll need a machine on both sides.
From your side, do a trace route (for Windows it's tracert) to a machine on the AWS side, from the AWS side do a trace route to a machine on your network and check where it fails.
Ok, no problem ...
For the Routing Policies I'd choose no Gateway and for interface you'll need to have the IPsec Primary Gateway (I'm not sure if you have it in the list) ... If you have just the one tunnel. If you have two tunnels you need to create this connection two times, one for the first tunnel and a second one for the second.
For the Routing Policies I'd choose no Gateway and for interface you'll need to have the IPsec Primary Gateway (I'm not sure if you have it in the list) ... If you have just the one tunnel. If you have two tunnels you need to create this connection two times, one for the first tunnel and a second one for the second.
ASKER
It's probably because your network is not propagated yet on Amazon's side ... As per my previous comment :)
You should add the subnet (virtual private gateway) from your side/customer side to the Route Propagation, the 192.168.99.0/24 network specifically.
Can you show me the Route Tables ...
ok, propagated, but you do not really need that second (propagated) local network there, the last one in the list you can remove that.
What does the trace route tell you when starting from the AWS side?
What does the trace route tell you when starting from the AWS side?
Weird, what does Subnet Associations tell us... Might be you attached your local net to a VPG where it wasn't needed...
Hmmm, we should find a way to remove the 192.168.200.0/24 network from the Route Propagation, not sure where it's configured that it won't let you delete it maybe at the Virtual Private Gateway level ...
Hmmm no ... Strange, you have two addresses connected to the same vgw-target ... That causes some routing issues probably...
I'll have to go over my config to see where it's going wrong, but I have to go now I'm afraid, I might be able to help you again tomorrow.
I'll have to go over my config to see where it's going wrong, but I have to go now I'm afraid, I might be able to help you again tomorrow.
So, how far are we on this? Any progress?
ASKER
Heres where we are at.....
I rebuilt the VPC after we talked and I'm able to tracert to a device on the Amazon side, but it stops right after it gets over to them - see below
I'm able to connect to a device on the Amazon side (I have a public IP that I'm able to RDP to) and I tracert to something on my side, but that fails completely - see below
As for the VPC, I took the time to take screen shots of everything
I rebuilt the VPC after we talked and I'm able to tracert to a device on the Amazon side, but it stops right after it gets over to them - see below
I'm able to connect to a device on the Amazon side (I have a public IP that I'm able to RDP to) and I tracert to something on my side, but that fails completely - see below
As for the VPC, I took the time to take screen shots of everything
Good thing starting from scratch... But it's still the same issue, you need to add the route back to your network and propagate it to the VPC network. This way that (VPC) network will know the way to your network.
Let me see if I can find some instructions on that if need be.
Let me see if I can find some instructions on that if need be.
It's actually in the AWS manual so it seems:
Source
For static routing, if you do not enable route propagation, you must manually enter the static routes used by your VPN connection. To do this, select your route table, then on the Routes tab in the details pane, click Edit. Add the static route used by your VPN connection in the Destination field, select the virtual private gateway ID from the Target list, and then click Save.
Source
ASKER
Recreating the VPN connection did the trick....Can't believe it was that easy.....Thanks so much for your assistance! !!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.