AWS VPN routing issues


#1

I’ve successfully set up IPSec VPN connections to an AWS VPN gateway which I was pretty excited about. Unfortunately, I can’t seem to connect to an ec2 instance running in the VPC I’ve configured with the VPN. I suspect it’s something to do with a routing config, or that the Peplink VPN is just not configurable in the way that AWS require. I’m wondering if it’s something to do with the ‘inside’ IP addresses that the AWS generic VPN configuration describes. I haven’t found a way to configure the customer ‘inside’ address on my end of the VPN, but ignoring that, I’ve been able to set up a connection to the AWS VPN that apparently is connected - both ends show that the connection is up.

I configured my end of the tunnel with the subnet of my remote AWS VPC (10.2.0.0/24) and also confirmed that the firewall is configured to allow traffic to this subnet. At the AWS end, I’ve confirmed that the VPN is configured to route to my local subnet (192.168.100.0/24) and that subnet 10.2.0.0/24 has a routing table entry to 192.168.100.0/24 via the VPN gateway. However, when I try and access the instance at 10.2.0.78 from my local end, it just times out. Traceroute just stops at my Peplink router’s internal IP, ssh also just hangs as well. I also confirmed that the EC2 instance’s security group has open access on port 22 (for the purposes of this test).

Has anyone successfully been able to not only set up a successful IPSec connection to AWS, but also access their EC2 instances at the other end? Any help would be appreciated!

Thanks,
Guy

EDIT: Changed 192.168.0.0/24 to 192.168.100.0/24 and 10.3.0.0/16 to 10.2.0.0/16 as these are the correct values.


#2

Hi,

Do you might to share the Balance & AWS VPN gateway IPSEC setting here for us to further investigate the issue ?

Do open a support ticket here if you having difficulty to share the info here

Thank You


#3

Thank you, I’ve attached the configs (with shared keys removed/blanked out).

Please note, I am currently only working on one tunnel (AWS supplies 2 separate tunnel endpoints which can be used to failover). The tunnel config I’m using is the one listed first in the attached AWS VPN config file.

AWS VPN config
Peplink config


#4

Hi,

Based on my understanding, this is the network connectivity.

192.168.0.0/24 —> Balance 210 —IPSec tunnel—> AWS —> 10.3.0.0/16

AWS VPN config

  1. I don’t see the settings for the local and remote network. Fyi, end to end communication will be failed without this. Please refer here for setting up the local and remote network based on my google result. You may need to check with Amazon for the details.

Peplink config


  1. I don’t see 192.168.0.0/24 in Local Network.

  2. I don’t see 10.3.0.0/24 in Remote Network.

  3. Since you have configured 10.2.0.0/16 as the Remote Network. But I also noticed you route 10.2.0.0/16 to 192.168.100.14 via LAN (Network > Network Settings > Static Route Settings). Any reason you configured in the way?


#5

Sorry, I should just mention that while I see that I did say I was trying to route to 10.3.0.0/16 in my original post, that was a temporary subnet I set up in my initial exploration to test out the IPsec VPN. Since the original post, I had removed all IPsec configs and deleted the 10.3.0.0/16 VPC from my AWS account. The configs I posted in my last reply were actually from an attempt to route to my real VPC subnets, 10.0.0.0/16 and 10.2.0.0/16. I apologise for the confusion.

  1. Once again, an apology is in order - my actual real local network is 192.168.100.0/24, not 192.168.0.0/24. I’m not sure how I made that mistake.

  2. As I mentioned above, the 10.3.0.0/16 in my original comment was a temporary test from my original post. The configs I posted in my last reply were from an attempt to route to the subnets listed in the attached peplink config.

  3. I realise that I have a static route to 10.2.0.0/16 already set up in the config I sent you, but I had removed it while I was attempting to get the AWS VPN working. I re-added it after but forgot that when I exported the Peplink config. Once again, my apologies for the confusion.

So, just to clarify - I’m actually trying to route to either of 10.0.0.0/16 and 10.2.0.0/16, and I’m aware of the existing static routes and have removed them during my test.


#6

Hi,

Thanks for the clarification. Can you share the latest Internal Firewall settings (Network > Access Rules > Internal Network Firewall Rules)?


Peplink VPN Capabilities and Options
#7

Actually, I finally worked this out and got it working. I was prompted by your question to take a look at my firewall configs and I realised that the issue was that I didn’t have a firewall rule in my Balance 210 to allow access back from the AWS end. Nor did I have a rule in my AWS security group to allow access from my office network, as previously I had been accessing the VPC via an openvpn instance in the VPC itself and therefore only had to allow access from this instance’s IP. I made both these firewall changes and now I can connect.

Thanks for your help, I appreciate it.
Guy


#8

Glad to hear that. :up:


#9

Quick add-on question about the IPsec on this router: is there an enforced limit to the amount of tunnels that can be connected at one time? According to the features matrix, the Balance 210 (which is the model I have) only supports 2 active tunnels, but I currently have 3 set up and apparently working fine. Is the tunnel support only a recommended limit? If so, what problems could I expect as I add more IPsec tunnel connections?

Thanks,
Guy


#10

Hi,

We tested Balance 210 worked optimally with 2 IPSec tunnels. You may configure more than 2 tunnels. However, we can’t guarantee on the performance.


#11

I’m also connecting a Peplink rotuer to AWS through VPC. Is it possible to use the Peplink as the NAT gateway for the AWS traffic? I have a good link between AWS and the local network, but the AWS instances cannot reach the internet. I could add a NAT gateway on the AWS side, but that incurs an hourly fee.