IPSec VPN from USG20-VPN to AWS VPC functional with BGP, but can't ping AWS from Internal?
sectionine
Posts: 2 Freshman Member
I've successfully created an IPSec Site-to-Site VPN from my internal network using the USG20-VPN to my AWS VPC. BGP is functional (at least on the AWS side) and my internal routes are being propagated to the AWS route table automagically. I can ping my internal network devices from an AWS EC2 instance, however, I can NOT ping or connect to AWS resources using local IPs from my internal network. I did a traceroute and found that I'm not leaving the Zyxel. I'm missing something on my end to establish a route from internal to remote over the VPN tunnel. With BGP - my understanding was that I should NOT create any static routes. I did attempt to create a policy route from internal to remote via the tunnel (perhaps inaccurately), to no avail. Any suggestions?
Here is my configuration (AWS VPN Script I executed for the Zyxel USG20-VPN):
! Amazon Web Services
! Virtual Private Cloud
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway for a redundant setup
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
isakmp policy amazon-ike-vpn-0
mode main
local-ip ip 73.102.235.240
peer-ip 3.91.166.84
authentication pre-share
keystring XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
transform-set aes128-sha
group2
lifetime 28800
no natt
dpd
dpd-interval 15
activate
exit
!---------------------------------------------------------------------------------
! #3: IPSec Configuration
!---------------------------------------------------------------------------------
crypto map amazon-ipsec-vpn-0
ipsec-isakmp amazon-ike-vpn-0
adjust-mss 1379
scenario vpn-tunnel-interface
encapsulation tunnel
transform-set esp-aes128-sha256
set security-association lifetime seconds 3600
set pfs group2
local-policy any
remote-policy any
activate
exit
crypto ignore-df-bit
!---------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!---------------------------------------------------------------------------------
interface vti0
ip address 169.254.46.174 255.255.255.252
ping-check 169.254.46.173 method icmp period 5 timeout 3 fail-tolerance 2
no shutdown
exit
binding interface vti0 crypto-map amazon-ipsec-vpn-0
zone IPSec_VPN
interface vti0
exit
! ----------------------------------------------------------------------------
! #4 Border Gateway Protocol (BGP) Configuration
!-----------------------------------------------------------------------------
router bgp
router-id 73.102.235.240
as-number 65555
neighbor 169.254.46.173 remote-as 64512
neighbor 169.254.46.173 timers 10 30
network 0.0.0.0/0
exit
! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
isakmp policy amazon-ike-vpn-1
mode main
local-ip ip 73.102.235.240
peer-ip 34.198.99.122
authentication pre-share
keystring XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
transform-set aes128-sha
group2
lifetime 28800
no natt
dpd
dpd-interval 15
activate
exit
!---------------------------------------------------------------------------------
! #3: IPSec Configuration
!---------------------------------------------------------------------------------
crypto map amazon-ipsec-vpn-1
ipsec-isakmp amazon-ike-vpn-1
adjust-mss 1379
scenario vpn-tunnel-interface
encapsulation tunnel
transform-set esp-aes128-sha256
set security-association lifetime seconds 3600
set pfs group2
local-policy any
remote-policy any
activate
exit
crypto ignore-df-bit
!---------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!---------------------------------------------------------------------------------
interface vti1
ip address 169.254.44.10 255.255.255.252
ping-check 169.254.44.9 method icmp period 5 timeout 3 fail-tolerance 2
no shutdown
exit
binding interface vti1 crypto-map amazon-ipsec-vpn-1
zone IPSec_VPN
interface vti1
exit
! ----------------------------------------------------------------------------
! #4 Border Gateway Protocol (BGP) Configuration
!-----------------------------------------------------------------------------
router bgp
router-id 73.102.235.240
as-number 65555
neighbor 169.254.44.9 remote-as 64512
neighbor 169.254.44.9 timers 10 30
network 0.0.0.0/0
exit
0
Accepted Solution
-
RESOLVED: turns out I needed to add my local segment (192.168.1.0/24) to the inbound security group rules in AWS.
0
All Replies
-
RESOLVED: turns out I needed to add my local segment (192.168.1.0/24) to the inbound security group rules in AWS.
0
Categories
- All Categories
- 415 Beta Program
- 2.3K Nebula
- 141 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.5K Security
- 216 USG FLEX H Series
- 262 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1K Wireless
- 39 Wireless Ideas
- 6.3K Consumer Product
- 243 Service & License
- 382 News and Release
- 81 Security Advisories
- 27 Education Center
- 8 [Campaign] Zyxel Network Detective
- 3K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight