AWS Site-to-Site VPN not working
I'm trying to setup a site-to-site VPN connection in AWS. I control the AWS account but the remote firewall is for an external company and not under my control. As my network knowledge is slight I am assuming any problems are at my end.
Unfortunately, all the walk throughs I can find assume you have control over both ends of the connection and don't seem to help me.
As far as I can see the process is simple
- Create a Customer Gateway pointing to the remote firewall
- Create a Virtual Private Gateway connected to our VPC
- Create a Site-to-Site VPN connection to connect the above 2
- Set the route propagation fro the VPG to yes
However, when I look at the tunnel details in the AWS console they are always just DOWN and at least currently there are no details available. I have noted the IP addresses the system has given me and passed those onto our customer.
I have read through all the examples I have found and looked at the Network ACLs and security groups and there appears to be nothing blocking the connections in those.
When I set up the connection I have tried both 'Dynamic' and 'Static' Routing options. The problem with the 'Static' option is it is asking for IP Prefixes and I can't workout what I should use. The only other wrinkle is I apparently have to use ikev1 only.
At the moment, after much fiddling the remote firewall is apparently not getting any hits from us at all. Can anyone help, or point to a dummys guide for all this?
In the solution that you've described, after all the configurations that you've mentioned you need to generate the configuration file for that connection using the menu on the top of the page and selecting your customer equipment brand and software version.
Then you send that file to your customer so they import it on their VPN concentrador. They are the ones that need to start the connection against you, not the other way.
Regarding static or dynamic, that refers to the IP or subnets that are going to be advertised by your customer inside the VPN.
Static - they need to give you the subnets and you configure from your side
Dynamic - they will be using BGP and need to provide you with the ASN so you configure it on you side.
Relevant documentation: Dynamic: https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html
General overview: https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html