IPSec VPN from USG20-VPN to AWS VPC functional with BGP, but can't ping AWS from Internal?

sectionine
sectionine Posts: 2  Freshman Member
First Comment
edited April 2021 in Security
I've successfully created an IPSec Site-to-Site VPN from my internal network using the USG20-VPN to my AWS VPC. BGP is functional (at least on the AWS side) and my internal routes are being propagated to the AWS route table automagically. I can ping my internal network devices from an AWS EC2 instance, however, I can NOT ping or connect to AWS resources using local IPs from my internal network. I did a traceroute and found that I'm not leaving the Zyxel. I'm missing something on my end to establish a route from internal to remote over the VPN tunnel. With BGP - my understanding was that I should NOT create any static routes. I did attempt to create a policy route from internal to remote via the tunnel (perhaps inaccurately), to no avail. Any suggestions?

Here is my configuration (AWS VPN Script I executed for the Zyxel USG20-VPN):


! Amazon Web Services
! Virtual Private Cloud
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway for a redundant setup
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------

isakmp policy amazon-ike-vpn-0
    mode main
    local-ip ip 73.102.235.240
    peer-ip 3.91.166.84
    authentication pre-share
    keystring XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    transform-set aes128-sha
    group2
    lifetime 28800
    no natt   
    dpd
    dpd-interval 15
    activate
exit

!---------------------------------------------------------------------------------
! #3: IPSec Configuration
!---------------------------------------------------------------------------------

crypto map amazon-ipsec-vpn-0
    ipsec-isakmp amazon-ike-vpn-0
    adjust-mss 1379
    scenario vpn-tunnel-interface
    encapsulation tunnel
    transform-set esp-aes128-sha256
    set security-association lifetime seconds 3600
    set pfs group2
    local-policy any
    remote-policy any
    activate
exit

crypto ignore-df-bit

!---------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!---------------------------------------------------------------------------------

interface vti0
  ip address 169.254.46.174 255.255.255.252
  ping-check 169.254.46.173 method icmp period 5 timeout 3 fail-tolerance 2
  no shutdown
exit

binding interface vti0 crypto-map amazon-ipsec-vpn-0

zone IPSec_VPN
  interface vti0
exit

! ----------------------------------------------------------------------------
! #4 Border Gateway Protocol (BGP) Configuration
!-----------------------------------------------------------------------------                                                                                    

router bgp
  router-id  73.102.235.240
  as-number 65555
  neighbor 169.254.46.173 remote-as 64512
  neighbor 169.254.46.173 timers 10 30
  network 0.0.0.0/0
exit

! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------

isakmp policy amazon-ike-vpn-1
    mode main
    local-ip ip 73.102.235.240
    peer-ip 34.198.99.122
    authentication pre-share
    keystring XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    transform-set aes128-sha
    group2
    lifetime 28800
    no natt   
    dpd
    dpd-interval 15
    activate
exit

!---------------------------------------------------------------------------------
! #3: IPSec Configuration
!---------------------------------------------------------------------------------
crypto map amazon-ipsec-vpn-1
    ipsec-isakmp amazon-ike-vpn-1
    adjust-mss 1379
    scenario vpn-tunnel-interface
    encapsulation tunnel
    transform-set esp-aes128-sha256
    set security-association lifetime seconds 3600
    set pfs group2
    local-policy any
    remote-policy any
    activate
exit

crypto ignore-df-bit

!---------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!---------------------------------------------------------------------------------

interface vti1
  ip address 169.254.44.10 255.255.255.252
  ping-check 169.254.44.9 method icmp period 5 timeout 3 fail-tolerance 2
  no shutdown
exit

binding interface vti1 crypto-map amazon-ipsec-vpn-1

zone IPSec_VPN
  interface vti1
exit

! ----------------------------------------------------------------------------
! #4 Border Gateway Protocol (BGP) Configuration
!-----------------------------------------------------------------------------          

router bgp
  router-id  73.102.235.240
  as-number 65555
  neighbor 169.254.44.9 remote-as 64512
  neighbor 169.254.44.9 timers 10 30
  network 0.0.0.0/0
exit






Accepted Solution

  • sectionine
    sectionine Posts: 2  Freshman Member
    First Comment
    edited March 2019 Answer ✓
    RESOLVED: turns out I needed to add my local segment (192.168.1.0/24) to the inbound security group rules in AWS.

All Replies

  • sectionine
    sectionine Posts: 2  Freshman Member
    First Comment
    edited March 2019 Answer ✓
    RESOLVED: turns out I needed to add my local segment (192.168.1.0/24) to the inbound security group rules in AWS.

Security Highlight