troubleshooting Question

AWS Managed VPN problem

Avatar of exptech
exptechFlag for United States of America asked on
NetworkingAWSVPN
11 Comments1 Solution231 ViewsLast Modified:
I need help with static routing for an AWS managed Vpn connection to a either a Greenbow VPN client or another AWS VPC. I am a developer, not a network engineer, but I have set up both hardware and software VPNs in the past, just never AWS managed. I know the easiest way is to just peer the VPCs together but that is not how we want to set it up. First off I am not sure if you can even connect two VPCs using the AWS managed VPNs. From what I have read they can not initiate connections, only receive them so manged to manged may not be possible.  We tried setting up a Greenbow VPN client on a VPC with no manged VPN connection and when we try to connect we are able. The problem is that we can not ping any machines. All firewall rules are configured properly ( we can ping using the external IPs). Basically we have the windows firewalls turned off and the AWS security groups allowing all traffic between the two VPCs. Here is where I believe the problem is and it comes with question. We set the VPN connections to use static routing and added a route to the managed VPN subnet routing table specifying the subnet that the Greenbow client is in and used the managed gateway as the target. On the Greenbow side we configured it with the subnet we want to reach on the managed VPN side. so Here is an example to make it more clear:

Our side of the VPN (the one with the Managed VPN connection) subnet:  172.31.0.0 mask 255.255.0.0
Client side of the VPN (the one with the Greenbow client) subnet: 172.35.0.0 mask 255.255.0.0

We created a customer gateway with the client external ip (won't specify it for obvious reasons)
We then created a Virtual Private Gateway and attached it to our VPC.
We then created a VPN connect specifying the customer gateway and the virtual private gateway. We chose static routing and allowed AWS to chose the preshared key as well as the Inside IP Tunnel CIDR.

We then created a static route for the subnet as follows :  Destination :  172.35.0.0/16 Target: we chose the virtual private gateway we set up.

The client used the managed VPN external ip and entered all of the security config details we gave them for the tunnels. In the Greenbow client for the destination they chose subnet as the type and entered the following :  172.31.0.0 mask 255.255.0.0

Then then attempted to connect. The greenbow logs showed the connection and sent acknowledgements and got replies. The vpn connection on our side showed "UP", but we can not reach any systems on either side.

Here is where I think the problem may be and an excerpt from the AWS config file we downloaded for the connection:

To route traffic between your internal network and your VPC,
you will need a static route added to your router.

Static Route Configuration Options:

  - Next hop       : 169.254.44.69
 
You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over
the tunnels.

This is the internal IP CIDR according to AWS. I have no idea what this is and what they want us to do. Normally when setting up a VPN you just specify the subnets on both sides and all works well. I have never seen this and like I said I think this might be the problem. Please if anyone can enlighten me that would be awesome.

Thanks in advance
ASKER CERTIFIED SOLUTION
Phil Phillips
Lead Platform Engineer

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 11 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 11 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros