I've been following the instructions here: https://aws.amazon.com/blogs/networking-and-content-delivery/simulating-site-to-site-vpn-customer-gateways-strongswan/
I can successfully get the VPN up and running, but I can't successfully ping internal IP addresses from behind the VPN.
Here's my setup:
"On-prem" is simulated using a VPC with IP address: 172.19.0.0/16. The VPN is deployed on an EC2 instance in the subnet 172.19.16.0/20. This subnet has the following route table:
| Destination | Target |
|---|---|
| 172.19.0.0/16 | local |
| 172.21.0.0/16 | eni-XXXXXXXXX |
| 0.0.0.0/0 | igw-XXXXXXXXX |
Where eni-XXXXXXXXX is the network interface of the EC2 instance that has the VPN deployed on it.
My cloud VPC has the CIDR range: 172.21.0.0/16. I have an EC2 instance deployed in the 172.21.32.0/20 subnet which has the following route table:
| Destination | Target |
|---|---|
| 172.21.0.0/16 | local |
| 172.19.0.0/16 | vgw-XXXXXXXXX |
| 0.0.0.0/0 | igw-XXXXXXXXX |
Where the vgw-XXXXXXXXX is the virtual gateway associated with the VPN I have.
I can send traffic from my "on-prem" VPC into my cloud VPC successfully, but no traffic comes back out. I've tested this by SSHing into an EC2 instance in my "on-prem" VPC and then pinging a private IP address of an EC2 instance in my cloud VPC and I can see the pings are received by the EC2 instance in the cloud VPC, but my "on-prem" instance never receives the response.
I have checked my security groups and NACLs and they are not preventing this type of traffic.
Is there something misconfigured here?
This is not an entirely satisfying answer, but I moved from using a Virtual Private Gateway to using a Transit Gateway and I was able to get it to work.