I haven't been able to solve this problem for a few days, I've followed millions of tutorials online but I couldn't find anything about it.
I have an EC2 instance that has as private ip: 172.31.27.40. I have only one VPC (the default one, with 3 subnets).
On prem I have ip address (public): 1.2.3.4. I created a customer-gateway (with on-prem public ip), a virtual-private-gateway (to which I attached the vpc) and the site-to-site connection.
My 2 tunnels are UP , in Static-Routes I added 192.168.0.0/24 (my on prem subnet). I am using the aws-updown.sh script in the ipsec configuration.
My ipsec config:
conn Tunnel1
auto=start
left=%defaultroute
leftid=1.2.3.4
right=(Outside IP address Tunn1)
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=192.168.0.0/24
rightsubnet=172.31.0.0/16
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
## Please note the following line assumes you only have two tunnels in your Strongswan configuration file. This "mark" value must be unique and may need to be changed based on other entries in your configuration file.
mark=499
## Uncomment the following line to utilize the script from the "Automated Tunnel Healhcheck and Failover" section. Ensure that the integer after "-m" matches the "mark" value above, and <VPC CIDR> is replaced with the CIDR of your VPC
## (e.g. 192.168.1.0/24)
leftupdown="/usr/local/sbin/ipsec-notify.sh -ln Tunnel1 -ll *******/30 -lr ******/30 -m 499 -r 172.31.0.0/16"
From EC2:
[root@ip-***** ec2-user]# ping 192.168.0.58
PING 192.168.0.58 (192.168.0.58) 56(84) bytes of data.
64 bytes from 192.168.0.58: icmp_seq=1 ttl=64 time=7.82 ms
64 bytes from 192.168.0.58: icmp_seq=2 ttl=64 time=7.84 ms
64 bytes from 192.168.0.58: icmp_seq=3 ttl=64 time=7.76 ms
64 bytes from 192.168.0.58: icmp_seq=4 ttl=64 time=10.8 ms
From On prem:
root@****:/home/utente# ping 172.31.27.40
PING 172.31.27.40 (172.31.27.40) 56(84) bytes of data.
From 169.254.**** icmp_seq=1 Destination Host Unreachable
From 169.254.**** icmp_seq=2 Destination Host Unreachable
From 169.254.**** icmp_seq=3 Destination Host Unreachable
From 169.254.**** icmp_seq=4 Destination Host Unreachable
Can you help me?
TL;DR
The AWS updown script creates the routes but does not provide a
src
.leftupdown
script with an editor.add_route()
src
IP to the routeFrom:
To:
Notice: Obviously, replace
MY-LOCAL-ON-PREM-IP
with your corresponding local IP192.168.0.58
!Explanation
I had the exact same problem. I followed the AWS Documentation and created a Site-To-Site VPN in combination with a virtual private gateway. I downloaded the configuration TXT for Strongswan and followed the instruction inside of it. Specifically, I also used the updown script from the AWS configuration TXT.
Here is my on-prem local IP:
Here is my ipsec tunnel config:
So far so good. But! The AWS updown script (
/etc/ipsec.d/aws-updown.sh
) is missing a crucial part. You have to specify thesrc
within theadd_route()
function! Without thesrc
, the ICMP reply can not find the way back to your On-Prem server. (See TL;DR section.)