Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I configure NAT on my VPC CIDR for traffic that traverses a Site-to-Site VPN connection?

3 minute read
0

I have an AWS Site-to-Site VPN connection to a VPC that's managed by Amazon Virtual Private Cloud (Amazon VPC). There are duplicate or identical IP address ranges on multiple interconnected sites, and I want to configure NAT for my Site-to-Site VPN connection.

Short description

AWS VPN doesn't provide a managed option to apply NAT to VPN traffic.

To apply NAT to VPN traffic, take one of the following actions:

  • Use a software-based VPN solution from AWS Marketplace to manually configure NAT.
  • Manually configure NAT on an Amazon Elastic Compute Cloud (Amazon EC2) Linux instance that runs a software-based VPN solution and iptables.

The example configuration in the following resolution uses two VPCs. The first is an AWS managed VPN and the second is a software-based VPN solution that you can use as the customer gateway.

Important: To resolve the IP address overlap issue, you must have a solution for both the source and destination NAT. Private NAT gateways can perform source IP address NAT, but they can't perform both source and destination NAT. However, NAT instances can handle source and destination NAT at the same time.

Resolution

Allow VPN traffic

Configure your VPC route table, security groups, and network access control list (network ACL) to allow VPN traffic.

Complete the following steps:

  1. In your route table, create a route to direct network traffic to your destination network. Set the elastic network interface as the destination of your software-based EC2 Linux instance.
  2. Confirm that your route table has a default route with a destination of an internet gateway.
  3. Modify your instance's security group rules to allow inbound traffic. Use UDP packets on port 500 (ISAKMP) and 4500 (IPsec NAT-Traversal).
  4. Turn off the source/destination checks so that the instance can forward IP address packets between your VPN's subnets.

Configure the VPN connection

  1. Configure a Site-to-Site VPN connection for your relevant solution, if you don't already have one. You can download Site-to-Site VPN example configuration files.
  2. Use your distribution's package manager to install your VPN solution on the EC2 Linux instance.

Note: To use strongSwan as a VPN solution, see vpn-gateway-strongswan on the GitHub website.

Configure the iptables

To configure iptables for the source NAT, run the following sudo iptables command:

sudo iptables -t nat -A POSTROUTING -d your_destination_address_or_CIDR -j SNAT --to-source your_IP_address

Note: Replace your_destination_address_or_CIDR with your destination address or CIDR and your_IP_address with your IP address.

For the destination NAT, run the following sudo iptables command:

sudo iptables -t nat -A PREROUTING -j DNAT --to-destination your_IP_address

Note: Replace your_IP_address with your IP address.

To save your running iptables configuration to a file, run the following sudo iptables-save command:

sudo iptables-save > /etc/iptables.conf

To load your iptables configuration on boot, enter the following line in /etc/rc.local before the exit 0 statement:

sudo iptables-restore < /etc/iptables.conf

Optionally, you can test your Site-to-Site VPN connection.

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)
Language
English
AWS OFFICIALUpdated 4 months ago
No comments

Relevant content