How do I troubleshoot VPN tunnel connectivity to an Amazon VPC?

Short description

The Amazon VPC network model supports open standard, encrypted Internet Protocol security (IPsec) VPN connections to AWS infrastructure. To establish a VPN tunnel connection to an Amazon VPC, check the configuration for the following resources:

• VPN tunnel Internet Key Exchange (IKE)
• VPN tunnel IPsec
• Network access control lists (network ACLs)
• Amazon VPC security group rules
• Amazon Elastic Compute Cloud (Amazon EC2) instance network routing table
• Amazon EC2 instance firewall
• VPN gateways for virtual private gateways and transit gateways

Resolution

Verify that AWS VPN can establish a Site-to-Site VPN tunnel

Make sure that IKE can establish a connection. Also, make sure that IPsec can establish a connection.

Troubleshoot common routing issues

Complete the following steps:

1. Open the Amazon VPC console.
2. Review the network ACLs to make sure that they allow the required traffic.
   Note: Custom network ACLs can affect the attached VPN's network connectivity.
3. Configure inbound rules to include source and destination CIDRs that allow specific destination ports and ephemeral source ports (1024-65535).
4. Verify that the route tables in your Amazon EC2 instances are correct.
5. If you use an Active/Active configuration, then make sure to activate Asymmetric routing on your virtual tunnel interfaces. For more information, see How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?
6. Make sure that no firewalls block traffic to the Amazon EC2 instance inside of the VPC. Run the following commands based on your operating system (OS).
   Windows:
   Open a command prompt, and then run the WF.msc command. For more information, see Open Windows Firewall with Advanced Security on the Microsoft website.
   Linux:
   Open the terminal, and then run the iptables command. For more information, see Sysadmin tools: How to use iptables on the Red Hat website.
7. If you use a policy-based VPN, then set up the source address from your internal network as 0.0.0.0/0. Then, set the destination address as the VPC subnet. For more configuration steps, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Make sure that traffic from your network reaches your EC2 instance

Complete the following steps:

1. Open the terminal.
2. Run the following command to verify that Internet Control Message Protocol (ICMP) has connectivity:

   ping example_IP

   Note: Replace example_IP with your server's IP address.
   Add the ICMP rule in security groups and network ACLs.
3. Based on your OS, run one of the following utilities from your internal network to an instance in the VPC that connects to the VPN.
   Linux:

   traceroute example-destination-IP-address

   Windows:

   tracert example-destination-IP-address

   If the output for traceroute or tracert stops at an IP address associated with your internal network, then verify that the routing path is correct. For more information, see How do I read and troubleshoot my traceroute to resolve AWS Direct Connect issues?

Troubleshoot issues with the customer gateway device

If traffic from your internal network reaches the customer gateway device but doesn't reach the instance, then take the following actions:

• Verify that you correctly configured the VPN configuration, policies, and network address translation settings on the customer gateway device for your VPN.
• Make sure that upstream devices allow traffic.

Note: To verify configurations and other settings on the customer gateway device, check the vendor documentation for your customer gateway device.

Troubleshoot issues with the BGP

To troubleshoot Border Gateway Protocol (BGP) connection issues, see How do I troubleshoot connection issues over VPN?

Related information

AWS Site-to-Site VPN single and multiple VPN connection examples

How AWS Site-to-Site VPN works