AWS Site-to-Site VPN not working

amazon-web-services site-to-site-vpn

I'm trying to setup a site-to-site VPN connection in AWS. I control the AWS account but the remote firewall is for an external company and not under my control. As my network knowledge is slight I am assuming any problems are at my end.

Unfortunately, all the walk throughs I can find assume you have control over both ends of the connection and don't seem to help me.

As far as I can see the process is simple

  1. Create a Customer Gateway pointing to the remote firewall
  2. Create a Virtual Private Gateway connected to our VPC
  3. Create a Site-to-Site VPN connection to connect the above 2
  4. Set the route propagation fro the VPG to yes

However, when I look at the tunnel details in the AWS console they are always just DOWN and at least currently there are no details available. I have noted the IP addresses the system has given me and passed those onto our customer.

I have read through all the examples I have found and looked at the Network ACLs and security groups and there appears to be nothing blocking the connections in those.

When I set up the connection I have tried both 'Dynamic' and 'Static' Routing options. The problem with the 'Static' option is it is asking for IP Prefixes and I can't workout what I should use. The only other wrinkle is I apparently have to use ikev1 only.

At the moment, after much fiddling the remote firewall is apparently not getting any hits from us at all. Can anyone help, or point to a dummys guide for all this?


In the solution that you've described, after all the configurations that you've mentioned you need to generate the configuration file for that connection using the menu on the top of the page and selecting your customer equipment brand and software version.

Then you send that file to your customer so they import it on their VPN concentrador. They are the ones that need to start the connection against you, not the other way.

Regarding static or dynamic, that refers to the IP or subnets that are going to be advertised by your customer inside the VPN.

Static - they need to give you the subnets and you configure from your side

Dynamic - they will be using BGP and need to provide you with the ASN so you configure it on you side.

Relevant documentation: Dynamic: https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html

General overview: https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html

Related

What are the procedures for upgrading a ProLiant ML370 G5 firmware REMOTELY? I'm thinking via its iLO, and if so, where do I access to do the upgrade
Cant login to newly cloned HyperV server
Is it possible to enforce local GPO over the domain?
How to test which version of TLS my .NET client is using?
Git add a worktree from existing remote branch
How to Log Full Stack Trace with Winston 3?
Spread vs MPI vs zeromq?
Why is ++i considered an l-value, but i++ is not?
What's better, ANTLR or JavaCC? [closed]
reinterpret_cast cast cost
Cannot compile solution in VS due "Attempted to access an unloaded AppDomain" -- how to pin it down?
PropertyInfo : is the property an indexer?