Solved: Re: AWS Site to Site VPN

gcarson73 · ‎12-13-2019

I have an AWS site to site VPN set up but cannot access the instances in AWS. The router used to connect the AWS Site to Site is a Cisco 2951, IOS 15.5.

Private subnet on Cisco Router is 10.3.81.0/24

Private subnet for AWS is 10.2.10.0/24.

From Windows, tracert 10.2.10.19 fails at first hop.

AWS support states the site to site is setup correctly and working, and they will provide no guidance on what I need to do on my router, any idea?

Georg Pauwen · ‎12-13-2019

Hello,

you are missing the static routes. You only have a default route, but you need static routes that point to the networks on the other side of the VPN, with the respective tunnel as the outgoing interface.

ip route 10.10.10.0 255.255.255.0 tunnel 0

In this example, 10.10.10.0/24 would be the remote network, reachable through the VPN via tunnel 0.

View solution in original post

gcarson73 · ‎12-19-2019

The issue was with my SonicWall, being used as a Firewall between my Cisco Router and ESXi servers. (Even though I allowed all access on the Firewall rules, other Security settings were blocking the Traffic from AWS (10.2.0.0 traffic).

Firewall back in play and traffic routing both ways. Thank you all for your assistance.

View solution in original post

Georg Pauwen · ‎12-13-2019

Hello,

I think AWS expects a SVTI. Post the config of your 2951 router...

gcarson73 · ‎12-13-2019

Enter configuration commands, one per line. End with CNTL/Z.
tssrouter(config)#do show run
Building configuration...

Current configuration : 12002 bytes
!
! Last configuration change at 19:02:18 UTC Fri Dec 13 2019 by gcarson
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname tssrouter
!
boot-start-marker
boot system flash:c2951-universalk9-mz.SPA.155-3.M5.bin
boot-end-marker
!
!
no logging rate-limit
enable secret 5 $1$IewY$MkgHJAwTKF7sLRw7K1AsJ1
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
!
!
!
!
!
!
!
ip icmp rate-limit unreachable 1200 log 1200 12000
ip icmp rate-limit unreachable DF 1200 log 1200 12000
!
!
!
!
!
!
no ip domain lookup
ip domain name tss.tssgis.com
ip name-server 12.123.80.43
ip name-server 12.123.80.194
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
!
license udi pid CISCO2951/K9 sn FGL170811RR
!
!
username gcarson privilege 15 secret 5 $1$lmGj$6aw5hzb6505AIrcxqc.8t1
!
redundancy
!
!
!
!
no cdp run
!
track 100 ip sla 100 reachability
!
track 200 ip sla 200 reachability
!
!
crypto keyring keyring-vpn-04ca814ee4fe4c7a2-1
local-address 12.123.141.178
pre-shared-key address 52.73.2.64 key z5MDQK5twLl384G0Kgd3Zf58eSbwkwEj
crypto keyring keyring-vpn-04ca814ee4fe4c7a2-0
local-address 12.123.141.178
pre-shared-key address 3.90.181.185 key Fm6kdhwKHqhuEPln2dlxEb6VEbDlo._o
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 201
encr aes
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-04ca814ee4fe4c7a2-0
keyring keyring-vpn-04ca814ee4fe4c7a2-0
match identity address 3.90.181.185 255.255.255.255
local-address 12.123.141.178
crypto isakmp profile isakmp-vpn-04ca814ee4fe4c7a2-1
keyring keyring-vpn-04ca814ee4fe4c7a2-1
match identity address 52.73.2.64 255.255.255.255
local-address 12.123.141.178
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-0 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-1 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-0
set transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-0
set pfs group2
!
crypto ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-1
set transform-set ipsec-prop-vpn-04ca814ee4fe4c7a2-1
set pfs group2
!
!
!
!
!
!
interface Tunnel1
ip address 169.254.182.98 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1379
tunnel source 12.123.141.178
tunnel mode ipsec ipv4
tunnel destination 3.90.181.185
tunnel protection ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-0
!
interface Tunnel2
ip address 169.254.193.230 255.255.255.252
ip virtual-reassembly in
ip tcp adjust-mss 1379
tunnel source 12.123.141.178
tunnel mode ipsec ipv4
tunnel destination 52.73.2.64
tunnel protection ipsec profile ipsec-vpn-04ca814ee4fe4c7a2-1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description internet
ip address 12.123.141.178 255.255.255.240
ip access-group inbound in
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly in drop-fragments max-reassemblies 1000
duplex auto
speed auto
!
interface GigabitEthernet0/1
description TSSLAN
ip address 10.2.10.1 255.255.255.0 secondary
ip address 10.3.81.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly in max-reassemblies 1000
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
no ip unreachables
ip nat inside
ip virtual-reassembly in max-reassemblies 1000
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.3.81.5 443 12.123.141.179 443 extendable
ip nat inside source static udp 10.3.81.5 500 12.123.141.179 500 extendable
ip nat inside source static tcp 10.3.81.5 992 12.123.141.179 992 extendable
ip nat inside source static tcp 10.3.81.5 1194 12.123.141.179 1194 extendable
ip nat inside source static udp 10.3.81.5 1701 12.123.141.179 1701 extendable
ip nat inside source static udp 10.3.81.5 4500 12.123.141.179 4500 extendable
ip nat inside source static tcp 10.3.81.5 5555 12.123.141.179 5555 extendable
ip nat inside source static tcp 10.3.81.7 20 12.123.141.180 20 extendable
ip nat inside source static tcp 10.3.81.7 21 12.123.141.180 21 extendable
ip nat inside source static tcp 10.3.81.9 443 12.123.141.180 443 extendable
ip nat inside source static tcp 10.3.81.7 990 12.123.141.180 990 extendable
ip nat inside source static tcp 10.3.81.7 50000 12.123.141.180 50000 extendable
ip nat inside source static tcp 10.3.81.7 50001 12.123.141.180 50001 extendable
ip nat inside source static tcp 10.3.81.7 50002 12.123.141.180 50002 extendable
ip nat inside source static tcp 10.3.81.7 50003 12.123.141.180 50003 extendable
ip nat inside source static tcp 10.3.81.7 50004 12.123.141.180 50004 extendable
ip nat inside source static tcp 10.3.81.7 50005 12.123.141.180 50005 extendable
ip nat inside source static tcp 10.3.81.7 50006 12.123.141.180 50006 extendable
ip nat inside source static tcp 10.3.81.7 50007 12.123.141.180 50007 extendable
ip nat inside source static tcp 10.3.81.7 50008 12.123.141.180 50008 extendable
ip nat inside source static tcp 10.3.81.7 50009 12.123.141.180 50009 extendable
ip nat inside source static tcp 10.3.81.7 50010 12.123.141.180 50010 extendable
ip nat inside source static tcp 10.3.81.7 50011 12.123.141.180 50011 extendable
ip nat inside source static tcp 10.3.81.7 50012 12.123.141.180 50012 extendable
ip nat inside source static tcp 10.3.81.7 50013 12.123.141.180 50013 extendable
ip nat inside source static tcp 10.3.81.7 50014 12.123.141.180 50014 extendable
ip nat inside source static tcp 10.3.81.7 50015 12.123.141.180 50015 extendable
ip nat inside source static tcp 10.3.81.7 50016 12.123.141.180 50016 extendable
ip nat inside source static tcp 10.3.81.7 50017 12.123.141.180 50017 extendable
ip nat inside source static tcp 10.3.81.7 50018 12.123.141.180 50018 extendable
ip nat inside source static tcp 10.3.81.7 50019 12.123.141.180 50019 extendable
ip nat inside source static tcp 10.3.81.7 50020 12.123.141.180 50020 extendable
ip nat inside source static tcp 10.3.81.7 50021 12.123.141.180 50021 extendable
ip nat inside source static tcp 10.3.81.7 50022 12.123.141.180 50022 extendable
ip nat inside source static tcp 10.3.81.7 50023 12.123.141.180 50023 extendable
ip nat inside source static tcp 10.3.81.7 50024 12.123.141.180 50024 extendable
ip nat inside source static tcp 10.3.81.7 50025 12.123.141.180 50025 extendable
ip nat inside source static tcp 10.3.81.7 50026 12.123.141.180 50026 extendable
ip nat inside source static tcp 10.3.81.7 50027 12.123.141.180 50027 extendable
ip nat inside source static tcp 10.3.81.7 50028 12.123.141.180 50028 extendable
ip nat inside source static tcp 10.3.81.7 50029 12.123.141.180 50029 extendable
ip nat inside source static tcp 10.3.81.7 50030 12.123.141.180 50030 extendable
ip nat inside source static tcp 10.3.81.7 50031 12.123.141.180 50031 extendable
ip nat inside source static tcp 10.3.81.7 50032 12.123.141.180 50032 extendable
ip nat inside source static tcp 10.3.81.7 50033 12.123.141.180 50033 extendable
ip nat inside source static tcp 10.3.81.7 50034 12.123.141.180 50034 extendable
ip nat inside source static tcp 10.3.81.7 50035 12.123.141.180 50035 extendable
ip nat inside source static tcp 10.3.81.7 50036 12.123.141.180 50036 extendable
ip nat inside source static tcp 10.3.81.7 50037 12.123.141.180 50037 extendable
ip nat inside source static tcp 10.3.81.7 50038 12.123.141.180 50038 extendable
ip nat inside source static tcp 10.3.81.7 50039 12.123.141.180 50039 extendable
ip nat inside source static tcp 10.3.81.7 50040 12.123.141.180 50040 extendable
ip nat inside source static tcp 10.3.81.7 50041 12.123.141.180 50041 extendable
ip nat inside source static tcp 10.3.81.7 50042 12.123.141.180 50042 extendable
ip nat inside source static tcp 10.3.81.7 50043 12.123.141.180 50043 extendable
ip nat inside source static tcp 10.3.81.7 50044 12.123.141.180 50044 extendable
ip nat inside source static tcp 10.3.81.7 50045 12.123.141.180 50045 extendable
ip nat inside source static tcp 10.3.81.7 50046 12.123.141.180 50046 extendable
ip nat inside source static tcp 10.3.81.7 50047 12.123.141.180 50047 extendable
ip nat inside source static tcp 10.3.81.7 50048 12.123.141.180 50048 extendable
ip nat inside source static tcp 10.3.81.7 50049 12.123.141.180 50049 extendable
ip nat inside source static tcp 10.3.81.7 50050 12.123.141.180 50050 extendable
ip nat inside source static tcp 10.3.81.6 443 12.123.141.181 443 extendable
ip nat inside source static tcp 10.3.81.61 80 12.123.141.182 80 extendable
ip nat inside source static tcp 10.3.81.61 443 12.123.141.182 443 extendable
ip nat inside source static tcp 10.3.81.104 80 12.123.141.183 80 extendable
ip nat inside source static tcp 10.3.81.104 443 12.123.141.183 443 extendable
ip nat inside source static tcp 10.3.81.16 443 12.123.141.184 443 extendable
ip nat inside source static tcp 10.3.81.98 3389 12.123.141.184 3389 extendable
ip nat inside source static tcp 10.3.81.73 80 12.123.141.185 80 extendable
ip nat inside source static tcp 10.3.81.73 443 12.123.141.185 443 extendable
ip nat inside source static tcp 10.3.81.59 443 12.123.141.186 443 extendable
ip nat inside source static tcp 10.3.81.110 80 12.123.141.187 80 extendable
ip nat inside source static tcp 10.3.81.110 443 12.123.141.187 443 extendable
ip nat inside source static tcp 10.3.81.76 3389 12.123.141.187 3389 extendable
ip nat inside source static tcp 10.3.81.76 8080 12.123.141.187 8080 extendable
ip nat inside source static tcp 10.3.81.92 80 12.123.141.188 80 extendable
ip nat inside source static tcp 10.3.81.92 443 12.123.141.188 443 extendable
ip nat inside source static tcp 10.3.81.38 443 12.123.141.189 443 extendable
ip nat inside source static tcp 10.3.81.79 443 12.123.141.190 443 extendable
ip route 0.0.0.0 0.0.0.0 12.123.141.177
!
ip access-list extended blockvty
permit ip host 12.123.12.83 any
permit ip 10.3.81.0 0.0.0.255 any
deny ip any any
ip access-list extended inbound
deny tcp any any fragments
deny udp any any fragments
deny icmp any any fragments
permit icmp 71.115.16.42 0.0.0.1 any
deny ip any any fragments
deny icmp any any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 0.0.0.0 any
permit ip any any
!
ip sla 100
icmp-echo 169.254.182.97 source-interface Tunnel1
frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
icmp-echo 169.254.193.229 source-interface Tunnel2
frequency 5
ip sla schedule 200 life forever start-time now
logging trap debugging
logging host 10.3.81.77
arp 10.3.81.43 03bf.0a03.512b ARPA
arp 10.3.81.42 03bf.0a03.512a ARPA
!
nls resp-timeout 1
cpd cr-id 1
!
access-list 1 permit 10.3.81.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
shutdown
!
!
banner exec ^C
*** Ensure that you update the system configuration ***
*** documentation after making system changes. ***
^C
banner login ^C
*** Login Required. Unauthorized use is prohibited ***
^C
banner motd ^C
If you have not been provided with permission to
access this device - disconnect at once.
^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class blockvty in
transport input ssh
!
scheduler allocate 20000 1000
ntp server 64.90.182.55
!
end

Georg Pauwen · ‎12-13-2019

Hello,

you are missing the static routes. You only have a default route, but you need static routes that point to the networks on the other side of the VPN, with the respective tunnel as the outgoing interface.

ip route 10.10.10.0 255.255.255.0 tunnel 0

In this example, 10.10.10.0/24 would be the remote network, reachable through the VPN via tunnel 0.

gcarson73 · ‎12-14-2019

I added ip route 10.2.10.0 255.255.255.0 tunnel1 to see if that helps. I do get a result now from tracert 10.2.10.19, but its to my PP adapter on my VPN server (using Windows Routing and Remove access).

I guess I will move to another forum. Thank you for your help

Georg Pauwen · ‎12-14-2019

Hello,

that doesn't look like the right route:

interface GigabitEthernet0/1
description TSSLAN
ip address 10.2.10.1 255.255.255.0 secondary
ip address 10.3.81.1 255.255.255.0

--> ip route 10.2.10.0 255.255.255.0 tunnel1

You are routing to your OWN local network, that can never work. You need to route to the REMOTE network. What are the local networks on the REMOTE side, the other side of the VPN tunnel ?

gcarson73 · ‎12-14-2019

I am embarrassed to say, that "secondary" route was my failed attempt....I removed that and I am able to ping my AWS instances now! Thank you for your help! It was the route to the tunnel that was missing!

Should I do the same route to the second tunnel?

Georg Pauwen · ‎12-14-2019

Hello,

what is behind the second tunnel ? Is that a backup for the first ?

gcarson73 · ‎12-14-2019

Yes, its a backup route to AWS

Georg Pauwen · ‎12-14-2019

Hello,

you can install backup routes through the other tunnel by assigning a higher administrative distance:

ip route x.x.x.x y.y.y.y Tunnel 2 200

So basically configure the same static routes, with Tunnel 2 as the outgoing interface, and an administrative distance of 200.

gcarson73 · ‎12-16-2019

You have been outstanding!

I am down to one last issue, and you may be able to help. I am now able to get from On-Prem (10.3.81.0) to AWS (10.2.10.0), but now when I try to go from AWS to On-Prem, traffic is dropping at Tunnel interface on my router. I assume I need to tell it to go somewhere, but how do I do this?

Reza Sharifi · ‎12-16-2019

You need to add static routes on AWS site to reach On-Prem devices. If you are not familiar with it, just open a ticket on their portal and they will call you back and help.

HTH

gcarson73 · ‎12-16-2019

I have asked them for help, and since the issue is at my router...they will NOT help.

gcarson73 · ‎12-16-2019

FYI, when I do a tracert from AWS to my On-Prem, it makes it to the Tunnel1 interface on my Router, so it seems its with my Router config (and that is posted above).

Reza Sharifi · ‎12-16-2019

Ok, so what is your internal device sitting behind your router?

Do you have a diagram of your network you can post?

If you are not using any routing protocol internally, you most likely need some static routes on your router to reach other subsets within your network and vise versa to reach AWS.

HTH