Hello! I'm trying to get an AWS VPN connection set up with an EdgeRouter Lite.
We have multiple locations that are all connected with each other with Meraki Firewalls using Site-to-site VPN. Each network can talk to the other with no issues. What I'm trying to do is use our EdgeRoute Lite to connect to our AWS VPC using a VPN connection. I got everything all set up and I am able to communicate to and from our EC2 server on the network that the EdgeRouter is directly connected to.
Any other network, however, is unable to even ping from other networks... I tried a tracert from a computer on a remote network and it at least makes it to the ERL before starting to show request timed out... While on a computer that is on the same network as the ERL it makes it all the way to the EC2 instance and stops...
So I figured it was a problem with AWS Routing somehow... When I take a look at the VPN Connection Tunnel Details it only shows 1 BGP Route (And only the network ERL is on shows in the Route Tables when Route Propogation is turned on)... I tried manually adding a remote network and it still did not tracert or ping.
When I check my bgp 65000 it lists all of the networks prefixes we have. But AWS is still only getting the one network...
I ran "show ip bgp neighbors 169.254.x.x advertised-routes" and it also only shows the one network...
Does anyone have any ideas as to what I'm missing?
EdgeRoute Lite
Firmware Version: 1.9.0
Sample of VPN Setup:
set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer <tunnel ip 1> authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer <tunnel ip 1> authentication pre-shared-secret 'super-duper-secret-sauce' set vpn ipsec site-to-site peer <tunnel ip 1> description 'VPC tunnel 1' set vpn ipsec site-to-site peer <tunnel ip 1> ike-group 'AWS' set vpn ipsec site-to-site peer <tunnel ip 1> local-address '10.0.1.250' set vpn ipsec site-to-site peer <tunnel ip 1> vti bind 'vti0' set vpn ipsec site-to-site peer <tunnel ip 1> vti esp-group 'AWS' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' set interfaces vti vti0 address '169.254.x.y/30' set interfaces vti vti0 description 'VPC tunnel 1' set interfaces vti vti0 mtu '1436' set protocols bgp 65000 neighbor 169.254.x.x remote-as '7224' set protocols bgp 65000 neighbor 169.254.x.x soft-reconfiguration 'inbound' set protocols bgp 65000 neighbor 169.254.x.x timers holdtime '30' set protocols bgp 65000 neighbor 169.254.x.x timers keepalive '30' set protocols bgp 65000 network 10.0.1.0/24 set protocols bgp 65000 network 10.0.11.0/24 set protocols bgp 65000 network 10.0.21.0/24 set protocols bgp 65000 network 10.0.31.0/24
Pinging or Trace
Works: 10.0.1.50 -> 172.30.1.50
Doesn't: 10.0.11.25 -> 172.30.1.50 (EC2 Instance)
Works: 172.30.1.50 -> 10.0.1.50
Doesn't: 172.30.1.50 -> 10.0.11.50