1

I'm trying to setup a site-to-site VPN connection in AWS. I control the AWS account but the remote firewall is for an external company and not under my control. As my network knowledge is slight I am assuming any problems are at my end.

Unfortunately, all the walk throughs I can find assume you have control over both ends of the connection and don't seem to help me.

As far as I can see the process is simple

  1. Create a Customer Gateway pointing to the remote firewall
  2. Create a Virtual Private Gateway connected to our VPC
  3. Create a Site-to-Site VPN connection to connect the above 2
  4. Set the route propagation fro the VPG to yes

However, when I look at the tunnel details in the AWS console they are always just DOWN and at least currently there are no details available. I have noted the IP addresses the system has given me and passed those onto our customer.

I have read through all the examples I have found and looked at the Network ACLs and security groups and there appears to be nothing blocking the connections in those.

When I set up the connection I have tried both 'Dynamic' and 'Static' Routing options. The problem with the 'Static' option is it is asking for IP Prefixes and I can't workout what I should use. The only other wrinkle is I apparently have to use ikev1 only.

At the moment, after much fiddling the remote firewall is apparently not getting any hits from us at all. Can anyone help, or point to a dummys guide for all this?

Andrew
  • 11
  • 2
  • unfortunately AWS site-to-site has no logs.so get logs from the other side. especially when they initiate the VPN. – exeral Nov 20 '20 at 17:46
  • VPNs can be fiddly and you have relatively little control or visibility on the AWS side. You basically just set it up on the AWS side, download the configuration, and send it to whoever controls the other end. The VPN only shows "up" once they have connected. Keep the shared secret alphanumeric, some routers / firewalls don't support other characters and give you misleading error messages. If you want to try it out yourself look for an AWS / StrongSwan tutorial. – Tim Nov 22 '20 at 06:41

1 Answers1

3

In the solution that you've described, after all the configurations that you've mentioned you need to generate the configuration file for that connection using the menu on the top of the page and selecting your customer equipment brand and software version.

Then you send that file to your customer so they import it on their VPN concentrador. They are the ones that need to start the connection against you, not the other way.

Regarding static or dynamic, that refers to the IP or subnets that are going to be advertised by your customer inside the VPN.

Static - they need to give you the subnets and you configure from your side

Dynamic - they will be using BGP and need to provide you with the ASN so you configure it on you side.

Relevant documentation: Dynamic: https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html

General overview: https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html

BANJOSA
  • 370
  • 1
  • 3
  • 15