Amazon AWS VPN Bidirectional Device Access

After setting up an Amazon VPN connection and configuring my gateway using the downloaded configuration, I am able to directly ssh to the private IP of an EC2 instance in my VPC. However, both the EC2 instance and an AppStream instance are unable to access local network resources on my side of the connection. The gateway I am using is a Cisco 1941 that runs IOS 12.4+.

Access to the customer gateway (10.0.0.2) works for the EC2 instance in the VPC (192.168.170.72):

traceroute to 10.0.0.2 (10.0.0.2), 64 hops max
1 169.254.45.190 40.357ms * 21.617ms
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=254 time=21.2 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=254 time=24.9 ms
64 bytes from 10.0.0.2: icmp_seq=3 ttl=254 time=21.3 ms
64 bytes from 10.0.0.2: icmp_seq=4 ttl=254 time=46.9 ms

But not access to a local machine that allows internal network access:

traceroute to 10.0.0.80 (10.0.0.80), 64 hops max
1 169.254.45.190 21.508ms 23.094ms 21.671ms
2 * * *
3 * * *
...
PING 10.0.0.80 (10.0.0.80) 56(84) bytes of data.
10.0.0.80 ping statistics ---
19 packets transmitted, 0 received, 100% packet loss, time 17999ms

A packet capture run on 10.0.0.80 shows that the ping request is received and replied to: 10.0.0.80 (local machine) packet capture

And packet captures from the Tunnel interfaces show that the packets are routed to the tunnel: Tunnel1 Tunnel1 interface packet capture Tunnel2 Tunnel2 interface packet capture

Here is the configuration for the Cisco 1941w gateway:

no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.0.0.0 10.0.0.10
ip dhcp excluded-address 10.0.0.66
ip dhcp excluded-address 10.0.0.93
ip dhcp excluded-address 10.0.0.97
ip dhcp excluded-address 10.0.0.231
!
ip dhcp pool embedded-router-pool
 network 10.0.0.0 255.255.255.0
 dns-server 8.8.8.8 8.8.4.4
!
!
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
redundancy
!
track 100 ip sla 100 reachability
!
track 200 ip sla 200 reachability
!
crypto keyring keyring-vpn-39bea158-1
  local-address PUBLIC_IP
  pre-shared-key address PUBLIC_VPN_IP_1 key KEY1
crypto keyring keyring-vpn-39bea158-0
  local-address PUBLIC_IP
  pre-shared-key address PUBLIC_VPN_IP_2 key KEY2
!
crypto isakmp policy 1
!
crypto isakmp policy 200
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 201
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-39bea158-0
   keyring keyring-vpn-39bea158-0
   match identity address PUBLIC_VPN_IP_2 255.255.255.255
   local-address PUBLIC_IP
crypto isakmp profile isakmp-vpn-39bea158-1
   keyring keyring-vpn-39bea158-1
   match identity address PUBLIC_VPN_IP_1 255.255.255.255
   local-address PUBLIC_IP
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-39bea158-0 esp-aes esp-sha-hmac
crypto ipsec transform-set ipsec-prop-vpn-39bea158-1 esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec-vpn-39bea158-0
 set transform-set ipsec-prop-vpn-39bea158-0
 set pfs group2
!
crypto ipsec profile ipsec-vpn-39bea158-1
 set transform-set ipsec-prop-vpn-39bea158-1
 set pfs group2
!
!
bridge irb
!
!
!
!
interface Tunnel1
 ip address 169.254.46.162 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1379
 tunnel source PUBLIC_IP
 tunnel mode ipsec ipv4
 tunnel destination PUBLIC_VPN_IP_2
 tunnel protection ipsec profile ipsec-vpn-39bea158-0
!
interface Tunnel2
 ip address 169.254.45.190 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1379
 tunnel source PUBLIC_IP
 tunnel mode ipsec ipv4
 tunnel destination PUBLIC_VPN_IP_1
 tunnel protection ipsec profile ipsec-vpn-39bea158-1
!
interface Embedded-Service-Engine0/0
 no ip address
!
interface GigabitEthernet0/0
 no ip address
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
 bridge-group 1
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered BVI1
 arp timeout 0
 no mop enabled
 no mop sysid
!
interface GigabitEthernet0/1
 ip address PUBLIC_IP 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Wlan-GigabitEthernet0/0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface FastEthernet0/0/0
 ip address PUBLIC_T1_IP 255.255.255.248
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 ip nat inside
 ip virtual-reassembly in
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Vlan10
 no ip address
!
interface BVI1
 ip address 10.0.0.2 255.0.0.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 192.168.0.0 255.255.0.0 Tunnel1 track 100
ip route 192.168.0.0 255.255.0.0 Tunnel2 track 200
ip route 0.0.0.0 0.0.0.0 PUBLIC_IP_2
!
ip sla 100
 icmp-echo 169.254.46.161 source-interface Tunnel1
 frequency 5
ip sla schedule 100 life forever start-time now
ip sla 200
 icmp-echo 169.254.45.189 source-interface Tunnel2
 frequency 5
ip sla schedule 200 life forever start-time now
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.255.255

There is one thing that stands out to me:

ip route 0.0.0.0 0.0.0.0 PUBLIC_IP_2

That PUBLIC_IP_2 is not the same as PUBLIC_IP. PUBLIC_IP_2 ends in 250 whereas PUBLIC_IP ends in 248.

Leave Your Comment

Leave a Reply

%d bloggers like this: