Connected to Windows Server 2016 VPN on AWS but could not ping resources in VPC
Solution 1:
Finally found the correct steps on how to create a VPN on Windows Server 2016 in AWS. Once connected, the client is able to access resources within the VPC and still access the Internet. Here's the complete list of steps on how it was done for those interested.
-
Setup the instance and needed interfaces:
- Spin up a Windows Server 2016 instance in EC2 with 1 network interface with a public IP.
- Disable Source/Destination checks on the instance. Ensure that the security group allows RDP from your IP address to the server.
- Connect to the instance and create a loopback adapted to act as a second network interface by following this serverfault answer.
- Allow the following UDP ports in the security group of the server: 500,4500,1701
- Allow the ESP protocol in the security group of the server.
-
Setup Routing and Remote Access Server:
- Follow this guide to setup RRAS until Step 9. Include Routing along with the VPN.
- On the configuration step, select Remote access (dial-up or VPN).
- Put a check on VPN then click Next.
- Select the network interface connected to the Internet. This would be the AWS PV Network Device. Uncheck the Enable security feature since it will block your RDP access. Block RDP later using the security group.
- On the IP Address Assignment, select From a specified range of addresses.
- Set a static IP range to be given to connecting clients. The first IP in the range will be assigned to the VPN server to act as gateway address. In my case, I just used 192.168.100.1-192.168.100.254.
- Radius Server? No. Then click Finish. You might lose connectivity from the server for a few minutes.
-
Setup L2TP:
- Right-click on the server name then click Properties.
- Click on the security tab.
- Put a check on Allow custom IPSEC policy then set the Pre-Shared Key.
- Click OK to save the settings.
- Right-click on the server name. Select All tasks then click Restart.
-
Setup NAT to allow clients to access the AWS resources and Internet:
- While still in the RRAS management tool, click on IPv4 on the left panel then right-click on General.
- Click New Routing Protocol then select NAT. Click OK.
- Right-click on NAT then click New Interface.
- Select the Ethernet port connected to the Internet (in my case, Ethernet 2). Select Public interface connected to the Internet. Put a check on Enable NAT. Click OK.
- Right-click again on NAT then click New Interface.
- Select the Ethernet port connect to the loopback interface (in my case, Ethernet). Select Private interface connected to private network. Click OK.
Connect using a L2TP compatible client.