1

Can anyone kindly tell me that it's possible or not in the first place? Suppose:

  • There are two ec2 instances
    • In one aws account/vpc.
    • In different subnets/available zones each other.
    • Runnig on CentOS 7.
  • There need to create an ipip tunnel between the instances via their public ip addesses for some reason.
  • And, the tunnel won't work.
    • Relating network acls and security groups explicitly allow all traffic.
    • iptables/firewalld are both disabled on each ec2 instances.
    • When the tunnel is via their public addresses, it's nicely work in fact.

To tell in details, I tried as described below, in vain:

  • instance #1:

    • public ip address: x.x.x.x (elastic ip address)

  • instance #2:

    • public ip address: y.y.y.y (non-elastic ip address)

  • adding a tunnel on instance #1: 

$ sudo ip tunnel add tun0 mode ipip remote y.y.y.y local x.x.x.x
$ sudo ip address add 192.168.1.11 peer 192.168.2.11 dev tun0
$ sudo ip link set mtu 1480 dev tun0
$ sudo ip link tun0 up
$ ip address show
(snip)
4: tun0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip x.x.x.x peer y.y.y.y
    inet 192.168.1.11 peer 192.168.2.11/32 scope global tun0
       valid_lft forever preferred_lft forever
  • adding a tunnel on instance #2: 
$ sudo ip tunnel add tun0 mode ipip remote x.x.x.x local y.y.y.y
$ sudo ip address add 192.168.2.11 peer 192.168.1.11 dev tun0
$ sudo ip link set mtu 1480 dev tun0
$ sudo ip link tun0 up
$ ip address show
(snip)
4: tun0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip y.y.y.y peer x.x.x.x
    inet 192.168.2.11 peer 192.168.1.11/32 scope global tun0
       valid_lft forever preferred_lft forever
  • testing on instance #1: 
$ ping 192.168.2.11
PING 192.168.2.11 (192.168.2.11) 56(84) bytes of data.
^C
--- 192.168.2.11 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
  • testing on instance #2: 
$ ping 192.168.1.11
PING 192.168.1.11 (192.168.1.11) 56(84) bytes of data.
^C
--- 192.168.1.11 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

Any answers/suggestions are greatly appreciated, thank you.

Takao IIZUKA
  • 11
  • 2
  • 1
    `sudo ip tunnel add tun0 mode ipip remote x.x.x.x local y.y.y.y` Here, you should be using x.x.x.x = remote **public** but y.y.y.y = local **private**. The Internet Gateway knows the local instance's public IP but the local instance does not know its own public IP. – Michael - sqlbot May 01 '19 at 20:29

1 Answers1

0

Thank you so much Michael, your comment was the all. Here I'll quote it and close this question:

sudo ip tunnel add tun0 mode ipip remote x.x.x.x local y.y.y.y Here, you should be using x.x.x.x = remote public but y.y.y.y = local private. The Internet Gateway knows the local instance's public IP but the local instance does not know its own public IP.

Thank you again.

Takao IIZUKA
  • 11
  • 2