4

My VPC is connected to my premises via IPSec VPN, tunnel is shown to be UP on AWS console.

Things that work:

  • I can see the traffic from my premises (subnet 192.168.0.0/16) to AWS VPC ( 10.0.0.0/16) on VPC flowlogs, marked as accepted.

  • When I do a tcp dump of the ICMP traffic on terminal using sudo tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo , I do see the ping:

06:32:13.446579 IP ip-192-168-234-254.ap-southeast-1.compute.internal > graylog: ICMP echo request, id 17473, seq 18722, length 44 .

  • I can get ping replies when I ping the AWS instance using its public IP, from everywhere.
  • I can get ping replies when I ping the AWS instance using its private IP from another AWS instance in the same VPC.

Things that don't work:

  • I can't get a ping reply when pinging from my premises to any of the AWS instances, including the one that receives my icmp ping.
  • I can't get a ping reply when pinging from my AWS instance to my premises.
  • I can't do a traceroute from my AWS instance to 192.168.234.254 or any of the other private IPs in my premises. These traceroutes end up with timeouts, just asterisk all the way.
  • I can't do a traceroute from my premises to any of the AWS instances. These traceroutes end up with timeouts, just asterisk all the way.

Configurations:

Route Table for the subnet:

Destination        target        status    propagated
10.0.0.0/16        local         Active    No
0.0.0.0/16       igw-f06e2d95    Active    No
192.168.0.0/16   vgw-d1084e83    Active    No

Security group of AWS instances: Inbound:

Type          Protocol    Port Range    Source
All ICMP      All          N/A      0.0.0.0/0

Outbound:

Type          Protocol    Port Range    Source
All Traffic      All          N/A      0.0.0.0/0
All Traffic      All          N/A      192.168.0.0/16

Network ACL inbound: 

Rule#    Type            Protocol     Port Range        Source        Allow/Deny
100      All Traffic      ALL          ALL          0.0.0.0/0          ALLOW
200      All Traffic      ALL          ALL          192.168.0.0/16     ALLOW
*        All Traffic      ALL          ALL          0.0.0.0/0          DENY

Network ACL outbound

Rule#    Type            Protocol     Port Range        Source        Allow/Deny
100      All Traffic      ALL          ALL          0.0.0.0/0          ALLOW
200      All Traffic      ALL          ALL          192.168.0.0/16     ALLOW
\*        All Traffic      ALL          ALL          0.0.0.0/0          DENY

Trace path from my AWS instance to the IP on my premises shows:

tracepath ip-192-168-234-254.ap-southeast-1.compute.internal
 1?: \[LOCALHOST\]                                         pmtu 9001
 1:  ip-10-0-2-1.ap-southeast-1.compute.internal           0.082ms pmtu 1500
 1:  no reply
 2:  no reply
 3:  no reply
 4:  no reply
 5:  no reply
 6:  no reply

Other info: My AWS instance is running Ubuntu 14.04

In short: Traffic from my premises does reach my VPC instance, but I can't get a ping reply or traceroutes in both directions, even though the security groups and network ACLs are set up properly and even though I can get ping replies from within my VPC.

Yoga
  • 151
  • 1
  • 2
  • 7
  • Certainly you don't really care about ICMP traffic? What services need to be reachable and are they? – joeqwerty Nov 26 '16 at 15:29
  • Your routing tables, security groups and Network ACLs all look good. Try removing SGs and nACLs one by one and see if the problem resolves. – M. Glatki Nov 28 '16 at 19:13
  • @M.Glatki I've managed to fix it. It was actually the Static Route at the VPN Connections page. Both the pings and the trace routes are working now. – Yoga Nov 29 '16 at 12:12

2 Answers2

1

It was actually the Static Route at the VPN Connections page - I had missed out the step to add a static route to route traffic of certain IPs through the VPN.

For example, if the subnet at your premises uses IPs 173.112.0.0/16:

Add 173.112.0.0/16 under 'IP Prefixes'.

Note that the IP Prefixes column only accepts CIDR blocks. You can add individual IPs by using a /32 CIDR block if you wish to be more restrictive.

Yoga
  • 151
  • 1
  • 2
  • 7
0

Were you able to do traceroute after adding the static route? I have everything configured, but still can't complete traceroute. I can see the traffic leaving the VPN interface, but not coming back (pinging both ways), so I'm thinking something is blocking it on the on-premise side. I wanted to know if you were able to complete the traceroute at least to the first few hops. I'm getting stars all the way even though it looks like the packets are leaving the VPN out interface.

Steve Brady
  • 1
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/518950) – Dave M Apr 26 '22 at 17:36
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Apr 27 '22 at 09:34