I need help with static routing for an AWS managed Vpn connection to a either a Greenbow VPN client or another AWS VPC. I am a developer, not a network engineer, but I have set up both hardware and software VPNs in the past, just never AWS managed. I know the easiest way is to just peer the VPCs together but that is not how we want to set it up. First off I am not sure if you can even connect two VPCs using the AWS managed VPNs. From what I have read they can not initiate connections, only receive them so manged to manged may not be possible. We tried setting up a Greenbow VPN client on a VPC with no manged VPN connection and when we try to connect we are able. The problem is that we can not ping any machines. All firewall rules are configured properly ( we can ping using the external IPs). Basically we have the windows firewalls turned off and the AWS security groups allowing all traffic between the two VPCs. Here is where I believe the problem is and it comes with question. We set the VPN connections to use static routing and added a route to the managed VPN subnet routing table specifying the subnet that the Greenbow client is in and used the managed gateway as the target. On the Greenbow side we configured it with the subnet we want to reach on the managed VPN side. so Here is an example to make it more clear:
Our side of the VPN (the one with the Managed VPN connection) subnet: 172.31.0.0 mask 255.255.0.0
Client side of the VPN (the one with the Greenbow client) subnet: 184.108.40.206 mask 255.255.0.0
We created a customer gateway with the client external ip (won't specify it for obvious reasons)
We then created a Virtual Private Gateway and attached it to our VPC.
We then created a VPN connect specifying the customer gateway and the virtual private gateway. We chose static routing and allowed AWS to chose the preshared key as well as the Inside IP Tunnel CIDR.
We then created a static route for the subnet as follows : Destination : 220.127.116.11/16 Target: we chose the virtual private gateway we set up.
The client used the managed VPN external ip and entered all of the security config details we gave them for the tunnels. In the Greenbow client for the destination they chose subnet as the type and entered the following : 172.31.0.0 mask 255.255.0.0
Then then attempted to connect. The greenbow logs showed the connection and sent acknowledgements and got replies. The vpn connection on our side showed "UP", but we can not reach any systems on either side.
Here is where I think the problem may be and an excerpt from the AWS config file we downloaded for the connection:
To route traffic between your internal network and your VPC,
you will need a static route added to your router.
Static Route Configuration Options:
- Next hop : 169.254.44.69
You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over
This is the internal IP CIDR according to AWS. I have no idea what this is and what they want us to do. Normally when setting up a VPN you just specify the subnets on both sides and all works well. I have never seen this and like I said I think this might be the problem. Please if anyone can enlighten me that would be awesome.
Thanks in advance